Bug In Apple’s CoreText Allows Specific String Of Characters To Crash iOS 6, OS X 10.8 Apps

A bug in Apple’s CoreText rendering engine in iOS 6 and OS X 10.8 causes any apps that try to render a string of Arabic characters to crash on sight. The string of characters which can trigger the bug — which was discovered yesterday and has spread around the hacking and coding community — has made its way to Twitter, where even looking at it in your timeline will crash the app.

The issue affects apps on iOS 6 and OS X 10.8 but does not work on OS X 10.9 Mavericks and iOS 7 beta releases. So whatever bug the characters are triggering, they’ve already been fixed in future releases of the engine. This doesn’t help anyone still on iOS 6 of course.

Because it’s a CoreText bug, any apps that access this font framework to render text are affected. This means that any apps that use WebKit like Safari are also affected because WebKit uses CoreText.

This is a picture of the string of characters, not replicated here for obvious reasons:

Screen Shot 2013-08-29 at 10.46.38 AM

If you’d care to experience the bug for yourself, feel free to seek out the tweet in the pic above, I’m not posting a link. For the record: Tweetbot appears to be immune to this, though it also uses the CoreText engine.

The characters were discovered and posted on a Russian site yesterday morning. The site claims that Apple has known about the problem for ‘six months’ and has not reacted. There is some evidence of the string appearing on Twitter back in February. The posting includes a request to click the crash report button on any apps affected and report it to Apple.

The malicious possibilities are simple: if you send the characters in an SMS, it can initiate a revolving crash of Messages on both OS X and iOS. We confirmed this on both operating systems. You can also deliver the string of text via a web link.

You could also change the name of a wireless network to the characters and it will crash any device that scans that network to connect.

That being said, this is an extremely specific set of unicode characters, so the possibilities of accidentally coming across it are nil. Unfortunately, once this stuff is out in the wild, it’s all down to who has the knowhow and will to try to use it to annoy or offend.

The Facebook team has already caught onto the bug and will no longer allow you to post this particular string to its site. An error message is presented alerting you that your post contains a security vulnerability.

We’ve reached out to Apple about the bug and will update this post if we receive a response.

This isn’t the first time that iOS and OS X have had ‘DoS’ (denial of service) attack issues that stemmed from bugs. In February, it was found that typing the phrase ‘File:///’ into an app on Macs would cause the app to crash. That bug was tracked back to the NSTextField call.

In addition, in March of this year, several iOS developers were targeted with sustained DoS attacks using large volumes of text and/or large chunks of characters. These would render the iMessage app unusable and eventually cause it to crash. This was attributed to forcing iMessage to render ‘Zalgo’ text and the fact that Apple didn’t limit how fast messages could be sent.

In order to combat that kind of attack, Apple introduced iMessage blocking in iOS 7, allowing users to eliminate any incoming messages from a particular address or sender.