How just 5 characters can murder iPhone and Mac apps

There has been much sniggering into sleeves after wags found they could upset iOS 6 iPhones and iPads, and Macs running OS X 10.8, by sending a simple rogue text message or email.

A bug is triggered when the CoreText component in the vulnerable Apple operating systems tries to render on screen a particular sequence of Unicode characters: the kernel reacts by killing the running program, be it your web browser, message client, Twitter app or whatever tried to use CoreText to display the naughty string.

Much hilarity ensued as people tweeted the special characters, posted them in web article comments or texted them, and rejoiced in the howls of fanbois' frustration. (Facebook had to block the string from being submitted as a status update.)

But how did that bug work? After some examination, it appears to be a rather cute programming cock-up that's fairly easy to explain. The vulnerable code has probably been in the wild for yonks; some people noticed it six months ago and it appeared on some slides in April for a Hack In The Box conference presentation. Barely anyone took any notice back then - but it started to spread around the web over the weekend after a trigger string appeared on a Russian website.

Apple's CoreText rendering system uses signed integers to pass around array indexes and string lengths. A negative length, -1, is passed unchecked to a library function which uses it as an unsigned long integer to set the bounds of an array. This causes the library to attempt to read beyond the end of an array and into unallocated memory, triggering a fatal exception.

Source: <a href="http://www.theregister.co.uk/2013/09/04/unicode_of_death_crash/">The Register

Submitted By: <a href="https://www.hellboundhackers.org/user/Vandal.html">Vandal