The bug that causes iPhones to crash when they receive a boobytrapped text
message also affects the Apple Watch, iPads and Macs.
The crash is caused by a bug within a core system common to all of Apple’s
devices that handles text. When presented with non-Latin characters in a
specific sequence - including those from Arabic, Chinese and Marathi - the
CoreText system chokes, causing it to fail and bring the entire operating
system to a halt.
Apple told the Guardian that it is aware of the bug and will issue a
software update to fix it. How long that update will take is unknown, and 24
hours after the bug was revealed it has not been fixed. The bug, which was
originally identified causing crashes on iPhones, has now been shown to also
affect the Apple Watch, causing it to crash when attempting to reply to the
offending message via voice using Siri.
The text message has also caused iPads to crash, and reportedly can affect
Mac laptops and desktops too. “As the issue also affects OS X applications, a
malicious party could set the triggering text as a server message of the day or
welcome message, causing a user’s terminal to crash when authenticating to
network services,” Mathew Hickey, principal security consultant at MDSec told
Forbes .
While most people are using the message as a prank to crash friends’
iPhones, experts have not ruled out that the text string could be used for more
malicious attacks, with potentially damaging consequences. “Programming errors
in Unicode decoding and rendering will produce more errors like this, some of
which may be exploitable to access elevated privilege levels on devices,” said
Ken Simpson chief executive of spam filtering and email security company
MailChannels.
“Such a vulnerability/exploit is not yet in the wild, but if developed this
would represent an immediate and severe threat to all iOS device users
worldwide.” Those wishing to protect themselves from these attacks can turn off
the notification system on iOS devices and stop SMS or iMessages being
delivered to the Apple Watch.
Mac users are less likely to be affected by the bug - sending the string via
iMessages did not trigger a crash in the Guardian’s testing - but those using
the Terminal app to access resources across the internet should be aware that
it could be affected if exposed to the text string.
No comments:
Post a Comment