Forgot your password?
typodupeerror
Bug IOS OS X Security Apple

CoreText Font Rendering Bug Leads To iOS, OS X Exploit 178

Posted by timothy
from the click-carefully dept.
redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."
This discussion has been archived. No new comments can be posted.

CoreText Font Rendering Bug Leads To iOS, OS X Exploit

Comments Filter:
  • Re:Who says? (Score:5, Interesting)

    by RoboJ1M (992925) on Thursday August 29, 2013 @02:09PM (#44708681)

    Agreed.

    It's the same as Windows, you just target what gets you the largest return. Organised crime is a business, just like any other.
    However there is still the walled garden thing, even if Apple went back up to a 50:50 market share with Android, Android would get targeted more because every Android user can choose to install any application and give that app the permission to email their bank details to Russia.

    With iOS they have to wait for a good ol' fashioned buffer overflow before they can grab anything I guess.
    Unless you get that with iOS too? I don't know I've never owned one.

    But the 8:2 logic holds up, when the sample size it that large I'm guessing that's exactly the reason why.

    Ultimately it's all moot.

    If Apple had 100% of the market share this is what would happen:

    The crims would send everyone sms/emails with links to pages that asked them for their passwords an X percent of users would give it to them.

    No amount of security or walled gardens get around the fact most of you are really really thick.

    You don't have to install Cute Kitty Wallpapers with internet, sms and bank details access.
    Because that's all this "malware" is, it's not big or clever, 50% are just from the wrong side of the bell curve.

    Oh, an I use Linux.
    On the Desktop.
    Well, I used to, because who the hell uses a desktop anymore anyway?
    Have you seen this cute screensaver I found!!!

  • Re:Le sigh. (Score:4, Interesting)

    by VortexCortex (1117377) <VortexCortex@ p ... r e trograde.com> on Thursday August 29, 2013 @02:24PM (#44708851)

    Okay, am I the only one that thinks that if you can't design something that renders text onto a screen without it turning into the Ocean's Eleven of computer security, you're doing it wrong? Be honest now guys. I can understand this in something that needs to interpret complex animations of dancing toilet paper flying across my screen screaming "Buy meeeee, pleeeeeeease!" -- I don't approve, but I can see how someone could screw it up.

    But text... really guys, I mean, really?

    I really get where you're coming from... However, Unicode is a PITA to implement, what with multiple glyphs for compositions / decompositions and BIDI (text direction rules) -- which change depending on paragraph direction and state machine. That's just the character encoding! To actually render the fonts there's a tiny VM that decodes the glyphs and handles sub-pixel hinting, etc. A bitmap ASCII (CP437) font? Done. I can crank one out in an hour, tops... Unicode w/ TrueType or FreeType? Ugh. I mean, just getting the character property tables from the Unicode site downloaded and transformed from CSV to the format we need is a project in of itself. The bugs in every last 3rd party library ever encountered (even libPNG), I'm hesitant to use other's code unless I have to (I have a higher standard -- input fuzzing, code coverage and unit testing for everything), but bugs in today's text rendering systems aren't just expected, they're a given -- It's literally the first thing I attack, and almost every time it works against new code: embedded invalid surrogate pairs, and over-long forms. [wikipedia.org]

    Ah, but everyone's doing it wrong but you? Well, let me tell ya something: If you set out to make the closest to the metal compilable language that's not ASM, it'll work just like C does (C is a product of the architecture more than anything). Same goes for making a minimal font rendering system that covers all the world's languages -- Try it, it'll end up almost exactly like TrueType & Unicode because they're products of their environment too.

    Now, that's not to say I don't agree with you to some extent. I'd say humans need to ditch all the BS and start from scratch to create a language that's easy to OCR with syntax and grammar that's extensible and non ambiguous and thus interpretable by machines. Do that and "natural language processing" is a no-brainer (literally). We get away with as few as 16 glyphs for the Virgon (Galactic) language -- Designed for ease of deciphering from examples using mathematics, incrementally graduating up to a small Von Neumann "VM" and then including "instructional" programs to then teach the rest.... So, yeah, you damn dirty apes did do it wrong, but if your sunk cost fallacy doesn't keep you doing it wrong you'll be the first lifeforms in the Super Cluster to do it right before you've solved the Fermi Paradox.

  • Re:Who says? (Score:3, Interesting)

    by StuartHankins (1020819) on Thursday August 29, 2013 @02:27PM (#44708887)
    Marketshare for IOS will probably drop, but have you seen the average IOS user's statistics versus Android and others? Have you seen how much money IOS users spend versus the rest? Which is more used by business? You may understand statistics but you're missing out on the big picture here.

    This is one of many reviews. http://techland.time.com/2013/04/16/ios-vs-android/ [time.com]

Are we running light with overbyte?

Working...