CoreText Font Rendering Bug Leads To iOS, OS X Exploit 178
redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."
Re:Who says? (Score:5, Informative)
Re:Who says? (Score:4, Informative)
Was going to post that but you beat me to it. The details:
Headline: "Four Out of Five Malware Menaces Choose Android"
80%? They make it sound so close! It's actually 100:1 for Android:iOS: "Android was targeted by an astonishing 79 percent of all smartphone malware that year... iOS was targeted by 0.7 percent of malware attacks."
The rest? Windows Phone and BlackBerry, 0.3%; Symbian, 19%.
Here's a link to the crasher string in question (Score:5, Informative)
Here's a link to the crasher string in question:
http://pastebin.com/kDhu72fh
(warning: will crash Safari on OS X 10.8. Firefox doesn't crash.)
Re:Who says? (Score:5, Informative)
Re:Le sigh. (Score:5, Informative)
Did you know that TTF fonts are turing complete?
http://en.wikipedia.org/wiki/True_Type_Font#Hinting_language [wikipedia.org]
"It really worries me that the FreeType font library is now being made to accept untrusted content from the web.
The library probably wasnâ(TM)t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and itâ(TM)s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.
It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C⦠The code is extremely hairy and hard to review, especially for the VM."
http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/ [hackademix.net]
Re:iOS doesn't have exploits (Score:5, Informative)
I thought Apple added address space randomization back in Leopard? What happened?
The problem that was reported leads to a crash. A crash is _safe_. An attacker can't gain any advantage by crashing your computer. They can merely annoy you.
Address Space Randomization cannot prevent crashes. Its purpose is to prevent crashes being turned into exploits. An attacker does two things: Find a way to make your software fail, then find a way to turn that failure into an advantage for the attacker. The second part is where Address Space Randomization comes in. The next step is Sandboxing, where even if the attacker finds a way past ASR and takes over your code, your code would be in a sandbox and can't do any harm outside.
Re:Who says? (Score:4, Informative)
Secure? Maybe, maybe not. Having less malware does not mean something is more secure, after all. More safe? Definitely so, since having less malware means that there is simply less danger. A walled garden in the country side is more safe but less secure than an apartment with bars over all the windows in the middle of the city, after all, and safety is what is more important overall, rather than security.
Of course, that doesn't excuse a company to fail at securing their products, just because no one has attacked them yet, but by all indications, the "security through obscurity" argument doesn't hold much water in this case, given that iPhone users are consistently shown to be disproportionately profitable to target and that they continue to sell extremely well overall (even the report you linked cites the fact that this is an expected low as part of the regular product cycle for the line and that they expect the iPhone to recapture its lost market share with the launch of the new iPhone this quarter).
Long story short, Android appears to be less secure and less safe. Which is to be expected, given the fact that developers are able to do a lot more on Android than they can on iOS, so it's not without its upsides, by any means. But that added capability (and the fact that every carrier/manufacturer makes their own tweaks that can open up vulnerabilities) comes at a price, and in this case, it's security.
Re:Here's a link to the crasher string in question (Score:4, Informative)
Confirmed Safari crash on 10.8. However, on iOS 7, it does not crash. It looks like this will be patched on mobile within the next couple of weeks. I can't test iOS 6, so I'll take others' word for it.
Re:Le sigh. (Score:4, Informative)
Desktop publishing has used embedded, Turing-complete languages for decades -- TeX is Turing-complete, as is XSLT. It's the best and most compact way of specifying an abstract image for a generic rasterizing displays of arbitrary resolution.