CoreText Font Rendering Bug Leads To iOS, OS X Exploit

redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."

Who says?

[fnj]

Android might be targeted by hackers and malware far more often than Apple's iOS platform

Says who?

Re:Who says?

Says who?

Reality

Re:Who says?

[larry+bagina]

The Department of Homeland Security and FBI.

Re:Who says?

[Cimexus]

Well that would be logical wouldn't it, given that Android is a more widely used platform. Hackers often try to get the biggest 'bang for buck' and target the most popular platforms (see also number of Windows viruses vs. Mac OS ones).

Re:Who says?

[m1ndcrash]

Hipsters already have spent all money on Apple products, so their bank accounts are empty. You go after MS, Android who are smart and have savings.

Re:Who says?

[sootman]

Was going to post that but you beat me to it. The details:

Headline: "Four Out of Five Malware Menaces Choose Android"

80%? They make it sound so close! It's actually 100:1 for Android:iOS: "Android was targeted by an astonishing 79 percent of all smartphone malware that year... iOS was targeted by 0.7 percent of malware attacks."

The rest? Windows Phone and BlackBerry, 0.3%; Symbian, 19%.

Re:Who says?

[smash]

Targeted != exploited. They're both targeted, just android is a lot easier to exploit because there is so much junk out there without any updates.

Re:Who says?

[smash]

lol.

Re:Who says?

[P-niiice]

The freedom to allow apps permissions for you system brings risks. Read the permissions screen before clicking 'allow', folks.

Re:Who says?

[girlintraining]

"Android was targeted by an astonishing 79 percent of all smartphone malware that year... iOS was targeted by 0.7 percent of malware attacks."

Oh wow! That must mean iOS is much more secure! That's what I was supposed to say, right? Not maybe the iphone isn't very popular, and people aren't designing malware for it because they want to go for Fort Knox instead of a piggy bank.

Android:
79.3% marketshare.
80% of malware.

Ordinarily, I wouldn't need to explain this, but given that it seems I'm one of the few people left on Slashdot with any understanding of statistics, I'll make this simple: Your "secure" operating system's only only real security is that it's too small to matter. This is like saying "DOS has the lowest rate of new malware infections of any OS on the market!" Well yeah. Nobody uses DOS anymore. And in a few years, nobody will use iPhone anymore either... it fell 3% in marketshare in just the last three months. Even malware authors are abandoning it because it costs too much to develop for such a small rate of return.

Re:Who says?

[ciderbrew]

I do; but its more like ... Find something that looks really good, then look at all the permissions it wants; but it shouldn't need all those permissions!! Feel sad about it and then don't install it unless drunk.

Re:Who says?

[sootman]

Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?

Maybe, just maybe, there's more to it than market share.

"... it fell 3% in marketshare in just the last three months..."

iPhone sales ALWAYS drop this time of year because everyone knows a new one is coming this Fall. It'll be back up in another few months... and then maybe down again, and then up again...

Re:Who says?

[gnasher719]

Android:
79.3% marketshare.
80% of malware.

That may look good to you, but it isn't. If you had 100 pieces of malware, and each affected 1% of the possible users, then you would have 80 pieces of Android malware and 20 pieces of other malware, so an Android user would have an 80% chance of being affected, while other users would only have a 20% chance.

It may give an explanation why there is so much malware, but it doesn't help you. (BTW iPhone was said to be attacked by 0.7% of all malware, which makes every iPhone user about 100 times safer. And all iPhone users have bought an expensive phone, while the high Android numbers come from all the cheap Android phones around, so your "Fort Knox vs. piggy bank" comparison is a bit stupid. ).

Re:Who says?

Flamebaitey, sure, but I lol'd. Well-played, but I'm calling the mod points a wash here.

Re:Who says?

[Joce640k]

Well that would be logical wouldn't it, given that Android is a more widely used platform

Not only that, it has a checkbox to allow you to install unsigned apps from uncontrolled websites.

Unsurprisingly, bad people upload malware to those sites. If you download it and click "yes", you'll get what you deserve, just like installing randomly downloaded exe files on PCs, etc.

Re:Who says?

[Gilmoure]

Exactly! Apple's never been a big enough target or had enough users to make anyone want to hack them. As for those Apple (l)oosers? Just think how boring their lives have been for all these decades, not getting the real experience of using computers but stuck just playing quietly with their toys. Stoopid loosers!

Re:Who says?

[NatasRevol]

Yeah, all the malware is avoided if you don't click allow.

That's just damn funny.

Re:Who says?

The freedom to allow apps permissions for you system brings risks. Read the permissions screen before clicking 'allow', folks.

Right, because having users manage their own risk profile has worked out so well in the PC/Windows world...

Re:Who says?

[Anubis+IV]

Secure? Maybe, maybe not. Having less malware does not mean something is more secure, after all. More safe? Definitely so, since having less malware means that there is simply less danger. A walled garden in the country side is more safe but less secure than an apartment with bars over all the windows in the middle of the city, after all, and safety is what is more important overall, rather than security.

Of course, that doesn't excuse a company to fail at securing their products, just because no one has attacked them yet, but by all indications, the "security through obscurity" argument doesn't hold much water in this case, given that iPhone users are consistently shown to be disproportionately profitable to target and that they continue to sell extremely well overall (even the report you linked cites the fact that this is an expected low as part of the regular product cycle for the line and that they expect the iPhone to recapture its lost market share with the launch of the new iPhone this quarter).

Long story short, Android appears to be less secure and less safe. Which is to be expected, given the fact that developers are able to do a lot more on Android than they can on iOS, so it's not without its upsides, by any means. But that added capability (and the fact that every carrier/manufacturer makes their own tweaks that can open up vulnerabilities) comes at a price, and in this case, it's security.

Re:Who says?

[girlintraining]

Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?

You're reading the statistics wrong. But whatever, you get +1, I get -1, because you're not a fanboy who made a personal attack, and apparently my quoting statistics was too inflammatory. Ah well.. yet more proof slashdot has gone to the dogs. Let's burn some more karma in a fruitless endeavor to explain to the fanboys statistics 101... because I'm bored and it's my lunch hour.

The dominant operating system with the largest marketshare has almost the same amount of malware being produced for it relative to its marketshare. This is precisely what you'd expect. It'd be like saying "A car that is driven by 80% of people also gets in 80% of accidents."

It does not have "100x" the exploits. It has "1x" the exploits. It has exactly the number of exploits you'd expect.

iPhone sales ALWAYS drop this time of year because

... irrelevant. Whether iPhone sales drop this month by 3% or not, they're still only clocking a 1:4.7 ratio of iphones to android phones. a 3% fluxuation means very little compared to the massive trend downward over the past several years. And that's what the malware authors are looking at.

So don't give me this "you must be a fanboy!" crap and then get all your hipster friends to downmod me... the facts are staring you in the face: The reason it has fewer exploits is because it has a small (and shrinking) marketshare, just like DOS, OS/2, etc. This is no different than the argument that Linux is more secure because nobody develops malware for it... yeah, sure, okay... but nobody uses Linux. Not as a desktop anyway. Malware authors go for the lion's share, not the outliers, and any security expert will tell you that Linux has had plenty of exploitable conditions in the past... but they weren't exploited because it wasn't as valuable to spend time developing one for Linux as it would be for the dominant OS -- Windows.

Re:Who says?

[0123456]

Right, because having users manage their own risk profile has worked out so well in the PC/Windows world...

Indeed. Letting someone else control your computer is much safer.

Android's big problem is that you have no way of saying 'no, I'm not giving this app that permission', and can only choose to install or not install the Fluffy Kitty Screen Saver that wants access to your filesystem, the Internet, and the ability to send SMS messages.

Re:Who says?

[Plumpaquatsch]

Well that would be logical wouldn't it, given that Android is a more widely used platform. Hackers often try to get the biggest 'bang for buck' and target the most popular platforms (see also number of Windows viruses vs. Mac OS ones).

Are you claiming iOS was targeted far more than Android just 2 years ago?

Re:Who says?

[girlintraining]

It may give an explanation why there is so much malware, but it doesn't help you.

I wasn't aware this was an issue of "help". I think it's more like when you look at every other case where a given piece of software or technology was used by the overwhelming majority (above 67%), and there was the potential for profit if it could be exploited, the majority of exploits targeted that piece of technology.

It's basic economics; Malware isn't any different than game development. Why is everyone going for the PS4 instead of the XBone One? Economics. Why did the PS2 curb stomp all the others? Economics. Developers go with wherever the most sales are going to be, and it doesn't matter whether you're making a legitimate or illegitimate product.

That's my point here. Android has the majority marketshare. And it has almost the exact same amount of malware. Android is the average case. Outliers have more flexibility -- the XBone maybe easier to develop for. Macintosh might be easier to use. Outliers need niche markets -- so they build on whatever happens their way.

To say that this universal statistical truth bestows upon IOS some intrinsic extra security is stupid. It's not intrinsically better... it's accidentally better. And if IOS had the majority marketshare, then it would be Android hawking ease of use, or better security, or whatever. This isn't a case of the design being better (or worse)... it's a case of the design not being popular. That's the only variable here that's really meaningful.

I can provide case study after case study showing that as the popularity of the platform reaches a critical mass, the number of exploits jumps. In fact, the rate of exploits being generated on a platform almost always follows the number of applications being developed over the same time frame.

You're trying to argue that technology is the reason for this difference, when the reality is it is economics. Just like everyone else here. The iPhone isn't special in any way; It follows the same trends, the same economic forces, etc., as everything else in IT. Sorry.

Re:Who says?

[chowdahhead]

I think Android is targeted more because it isn't inherently tied to the Play store, and not so much because of devices not being updated. The app signature verification works for 2.3 and up, which covers 96% of Google's Android devices. Getting malware on a phone or tablet still generally requires installing a malicious app, and it's far easier to be careless about that on Android.

Re:Who says?

It also comes down to the fact that most Android phone users are not computer savvy and just buy them because they are the cheapest thing at the Verizon store. And of course people with lower incomes tend to have less education and as so less critical thinking ability. Likewise people target malware to Windows because every moron who shows up at Best Buy and asks for the cheapest computer goes home with a Windows netbook, from there it's quite simple to get those kind of people to willingly install all kinds of malicious bullshit.

Re:Who says?

[RoboJ1M]

Agreed.

It's the same as Windows, you just target what gets you the largest return. Organised crime is a business, just like any other.
However there is still the walled garden thing, even if Apple went back up to a 50:50 market share with Android, Android would get targeted more because every Android user can choose to install any application and give that app the permission to email their bank details to Russia.

With iOS they have to wait for a good ol' fashioned buffer overflow before they can grab anything I guess.
Unless you get that with iOS too? I don't know I've never owned one.

But the 8:2 logic holds up, when the sample size it that large I'm guessing that's exactly the reason why.

Ultimately it's all moot.

If Apple had 100% of the market share this is what would happen:

The crims would send everyone sms/emails with links to pages that asked them for their passwords an X percent of users would give it to them.

No amount of security or walled gardens get around the fact most of you are really really thick.

You don't have to install Cute Kitty Wallpapers with internet, sms and bank details access.
Because that's all this "malware" is, it's not big or clever, 50% are just from the wrong side of the bell curve.

Oh, an I use Linux.
On the Desktop.
Well, I used to, because who the hell uses a desktop anymore anyway?
Have you seen this cute screensaver I found!!!

Re:Who says?

[UnknownSoldier]

> but nobody uses Linux. Not as a desktop anyway.

I work at a Fortune 50 company. Yes, 50, not 500. Currently researching Big Data on the GPU using Linux + CUDA + nVidia's nSight + GTX Titan. I'm in OSX, Linux, Win8 in that order. The other devs use command line + vim + git. The OPS guys use OpenBSD on the servers.

There is a surprisingly amount of people using Linux. Heck most of the contractors we have are using VirtualBox + Linux (Ubuntu)

You're talking out of your ass making assumptions. Unix, wether it be Linux or BSD variation, is getting more and more popular.

Re:Who says?

> In fact, the rate of exploits being generated on a platform almost always follows the number of applications being developed over the same time frame.

Except the iOS appstore has more apps and more installed apps so looks like your theory fails.

Re:Who says?

Yeah, using Final Cut Pro to produce motion pictures for Hollywood, what a bunch of losers! They could have been playing Butt Commando 4 in their mom's basement!

Re:Who says?

[girlintraining]

You're talking out of your ass making assumptions. Unix, wether it be Linux or BSD variation, is getting more and more popular.

Sir, my grandpa lived to the age of 94, and he smoked four packs a day. Does that mean if I smoke four packs a day, I have nothing to worry about health-wise? I suppose the cognitive error you've made is clearer now. You're giving personal experience too much weight. Please show me a survey saying that, today, Linux as a desktop platform is at least half as popular as Macintosh is. The short answer is, you won't find one. At least not one that's been done properly. Saying it's "getting more and more popular" is not the same as saying it's popular now. Monacles are getting more and more popular too (steampunk cosplay)... it doesn't mean I can wander out into the street and find top hats and monacles everywhere.

Re:Who says?

[StuartHankins]

Marketshare for IOS will probably drop, but have you seen the average IOS user's statistics versus Android and others? Have you seen how much money IOS users spend versus the rest? Which is more used by business? You may understand statistics but you're missing out on the big picture here.

This is one of many reviews. http://techland.time.com/2013/04/16/ios-vs-android/

Re:Who says?

IOS is the jackpot, Android users are too cheap and poor to be worthwhile to hack.

Re:Who says?

[girlintraining]

Of course, that doesn't excuse a company to fail at securing their products, just because no one has attacked them yet, but by all indications, the "security through obscurity" argument doesn't hold much water in this case, given that iPhone users are consistently shown to be disproportionately profitable to target and that they continue to sell extremely well overall (even the report you linked cites the fact that this is an expected low as part of the regular product cycle for the line and that they expect the iPhone to recapture its lost market share with the launch of the new iPhone this quarter).

Let's say that iphone owners are worth $30,000 each, and Android users are worth only $10,000. If Android users are 4.7x more numerous than iphone users... then Android users are the logical target, if you can only target one group or the other. Now, who really thinks iphone users have a net worth three times that of Android users? Android users, by the way, are 4.7x more numerous.

The rest of your argument is irrelevant. I don't have anything really to say to your security v. safety argument, because that's not what we were talking about and I have no desire to play the shifting goal posts game.

Re:Who says?

Just because OpenBSD has less exploits than Windows doesn't make it less secure...not all operating systems are created equal.

Re:Who says?

Germany warns people from using Windows 8

Re:Who says?

He didn't say Linux, he said "Unix, wether it be Linux or BSD variation". Notably, Mac OS (which you're comparing Linux to) is a BSD variation.

Re:Who says?

[Anubis+IV]

Now, who really thinks iphone users have a net worth three times that of Android users?

That's a great question and exactly the right one to ask. As it turns out, an average iOS user is worth roughly 4-5x more than an average Android user, at least in terms of what they're willing to spend on apps, which admittedly isn't the worth that we're talking about in this context, but is about the closest indication we can get to the relative worths of users on the different platforms, absent of having data on what the street value is for a compromised device of each variety.

It's also worth pointing out that you've made the false assumption that iOS has to offer a value that's equal to or greater than Android's before iOS would be a logical target, completely dismissing the fact that the black hats may very well be interested in iOS, even if it only offered half or a quarter of the value of attacking Android, simply because there are other considerations at play (e.g. big fish in small pond, diversifying their products for more stable profit, etc.). Even if their users were equal in value and Android had 4.7x more users, that'd still mean that Apple had about 18% of the market, which is a sizable portion to target and well worth at least some of the malware developers' time. As such, you'd expect to see that they're getting hit fairly often.

Instead, that link above indicates that Android gets 79% of malware, iOS gets 0.7%, and Blackberry and Windows Phone each clock in at 0.3%, despite the fact that their market shares are even more diminutive than Apple's. And don't forget Symbian, which only had 19% of the malware, despite the fact that its installed userbase was comparable to Android's at the time that the study was conducted.

As for the rest of what I said, which you largely dismissed as irrelevant, I'll repeat some of it regarding this trend being expected, given the designs for the various OSes. Android is designed to be configurable and modifiable by manufacturers and carriers, as well as more open to developers, which naturally means that it's a harder product to secure, given that the surface area for attack is much larger and the changes that are being made are not always being as heavily scrutinized. In contrast, Apple, Microsoft, and Blackberry each only need to secure one OS that they have full control over, so it should come as no surprise that there's less malware for them, not merely because of market share, but also because of design considerations of this sort. If they didn't have disproportionately less malware, that would be an indication of a major failure on their part to secure their OS.

So, once again, your security through obscurity argument is full of holes, and there are perfectly obvious reasons for why iOS has less malware than Android. That you're ignoring them is astonishing, considering the reasons they exist in the first place are the reasons that the Android ecosystem is able to thrive.

Re:Who says?

[noh8rz10]

I wouldn't even call this exploit an "exploit". At worst its a lulz to crash a program. No data extraction.

Re:Who says?

[girlintraining]

As it turns out, an average iOS user is worth roughly 4-5x more than an average Android user, at least in terms of what they're willing to spend on apps, which admittedly isn't the worth that we're talking about in this context, but is about the closest indication we can get to the relative worths of users on the different platforms, absent of having data on what the street value is for a compromised device of each variety.

Actually, this doesn't say anything except that IOS users are more willing to pay for apps -- this may be due to the smaller number of free alternatives and the fact that the IOS marketplace is controlled entirely by Apple, and you have to spend a not inconsiderable amount of money getting licensed and approved so you can submit apps to Apple. Android has no such restrictions. Since it costs less to develop for Android, it makes sense that the overall price would be lower -- afterall, you aren't by the mere act of creating an app indebting yourself and now need to make that money back just to break even.

It's also worth pointing out that you've made the false assumption that iOS has to offer a value that's equal to or greater than Android's before iOS would be a logical target, completely dismissing the fact that

Completely dismissing the fact that... and then you put up a string of assumptions with no citations? Please, by all means, show me the supporting documentation. At least you tried with the first link. It was totally off-topic and irrelevant, but I can admire the attempt. But it seemed like right after that, you gave up wanting to prove any of your other points, perhaps thinking that if you included a single link, you'd get up-modded and nobody would more closely analyze your faulty logic.

Android is designed to be configurable and modifiable by blah blah blah blah blah... more blah, some blah, extra blah to go with the blah

Again, blowing smoke in the hopes of covering up the original point: Which is that we're discussing what is manifest in reality, what is happening today, not the coulda, woulda, shoulda, that your post goes into great detail to construct. It's a wonderful hypothetical model, and maybe if this were a competition for best fictional work by an internet pundit, you'd win an award. But this is economics.

Show me the money. The end.

Re:Who says?

[sjames]

Two gas stations across the street, both having a sale prominently advertised out front. One offers a gallon of gas for a dollar, the other offers 4 gallons of gas for a dollar.

This will not result in proportional business. Rather, the 4 Gal/usd will be packed and you'll hear crickets at the 1Gal/usd station.

Same for malware and phones.

And I even did it with a car analogy :-)

Re:Who says?

[tlhIngan]

Now, who really thinks iphone users have a net worth three times that of Android users?

The most popular Android phone sold was the Samsung Galaxy S III. Which is around 60M units. Google says there are 900M Android devices out there. Which puts the SGS3 at under 10% marketshare. Given it was THE flagship phone to get, there's a good bet the vast majority of Android phones out there are the crappy free ones. Because people see the iPhone, they see the $200 price tag, then the salesperson shows them the collection of Android phones you can have for free. Who cares if it runs Gingerbread, has a crappy screen, a lousy CPU, tiny RAM, whatever. It's free, and "it works like an iPhone".

And therein lies the problem - the market for someone who buys an iPhone or an SGS3 is completely different from the market who buys whatever the carrier is giving away for free.

If we were to isolate the markets - the ones who paid and bought flagship phones versus the iPhone - I have a very strong suspicion that the "worth" is the same. If you're willing to pay for it, the demographics pretty much say you're also willing to pay for apps and all the other stuff.

But if you were too cheap for an iPhone or SGS3 or whatever, then you'd probably be just as cheap with apps. Heck, you might even try to get paid apps for free (and be one to install non-Play apps that may be infected). Or not even bother with the whole thing after seeing dollar signs everywhere.

Even though iPhones have price ranges, few buy the cheaper ones. Hell, any iPhone display almost always are going to have only iPhone 5s on show. But your carrier will have dozens of brand new just-came-out-today Android phones that are free.

The problem is, you can't segregate the market on Android - e.g., you'd pay more to advertise on iPhone because the match the demographic you want, but on Android, you'd pay less than half because you can't tell if you're advertising to a cheapskate or someone who will appreciate it.

And free apps are nonsense - the reason Android has more is because of Google's incompetence at taking people's money, so paid apps are at a disadvantage over free ones since if Google can't take your money, your paid app won't show up.

Stuff like Freemium and ad-supported apps really started on Android for this reason.

Re:Who says?

[Anubis+IV]

Fine, I'll keep it simple since we apparently can't even agree that "wanting to diversify" is a valid business idea that would apply to malware developers too.

Your big claim is that iOS has less malware because of security through obscurity. That is, they have next to no market share, so no one writes malware for it since there's no profit there. Explain Symbian then. It had 19% of the malware share (i.e. 1/4 that of Android) while having a comparable installed user base to that of Android at the time that the study was conducted.

Please explain, since you apparently have a monopoly on reality, how those numbers work out and why they don't contradict anything you've said about iOS.

Re:Who says?

I wouldn't even call this exploit an "exploit".

So what's an exploit?

Re:Who says?

Indeed. Letting someone else control your computer is much safer.

It isnt like you are letting someone else control your computer, you are letting one entity vet the applications before they get to you and even then you have the ability to limit what they have access to, Google just doesnt do a very good job of that where Apple does. Ultimately the *fact* is you are *far* less likely to be the victim of malware as an iOS and OSX user than you are as a Windows and Android user (obviously combinations of these and including desktop linux distributions makes a difference).

Re:Who says?

[exomondo]

"Android was targeted by an astonishing 79 percent of all smartphone malware that year... iOS was targeted by 0.7 percent of malware attacks."

Oh wow! That must mean iOS is much more secure!

Well if Android was targeted by 79% of smartphone malware and has 80% marketshare where iOS has (according to your statistics) 13.2% of the marketshare with only 0.7% of the smartphone malware then that would suggest that yes it is. Of course the next thing to look at is whether it is just hackers going after the biggest target marketshare, well the remaining smartphone malware (20.3%) is targeted at the remaining players that have just 6.8% of the smartphone market, so if you were to suggest it was just them going after the larger market then iOS would be expected to have significantly more than it has and the tiny players to have significantly less than they have.

Re:Who says?

[exomondo]

Unix, wether it be Linux or BSD variation, is getting more and more popular.

I'm not sure what the point of lumping all Unix derivatives together is in this context, it was about exploits and platforms targeted by malware, what exploits and malware run across all Unix derivatives?

Re:Who says?

[exomondo]

Nearly everyone is our office now has iphones, they all dumped samsung crap and android.

Sir the bet is one anecdotal evidence, minimum raise another anecdotal evidence.

Re:Who says?

[shutdown+-p+now]

The logic is fairly obvious: when there is such a large gap between the leader and everyone else, why would you as a malware writer target anything by the leader? It doesn't make sense to target 20% of your exploits for iOS and 80% for Android, just because that's the corresponding market shares. You target all of your exploits in such a way as to maximize the total number of people hit by each. From that perspective, the only logical choice is to target Android for all of them.

Re:Who says?

Why is everyone going for the PS4 instead of the XBone One? Economics.

Neither exists yet so your statement is an obvious fabrication due to your own fanboyism, in addition you flaunt your fanboyism by calling the PS4 simply the PS4 and squeeze in a more derogatory XBone One for the XBox One (even though its more to type). Your fanboyism makes you so angry that you cant even bring yourself to type the name correctly even though it would shorter to do so, you couldnt hide your bias and agenda even if you wanted to.

Developers go with wherever the most sales are going to be

Which is why the most applications and the most money is made on iOS.

To say that this universal statistical truth bestows upon IOS some intrinsic extra security is stupid.

Nobody is saying that but what you seem to be saying is that iOS and Android are equally secure and the only reason Android has more malware is because of its marketshare.

Re:Who says?

[Volguus+Zildrohar]

X11. Also there's Java.

Re:Who says?

[mattack2]

Two gas stations across the street, both having a sale prominently advertised out front. One offers a gallon of gas for a dollar, the other offers 4 gallons of gas for a dollar.

This will not result in proportional business. Rather, the 4 Gal/usd will be packed and you'll hear crickets at the 1Gal/usd station.

With *THAT* big of a gap, you're probably right.

But here in the real world, for some reason people still go to the "name" brand gas stations that sometimes are 10 or more cents more/gallon that are just across the street from each other... Even though the gas quality is federally mandated, and in many/most cases it probably all comes from the same tank anyway.

Re:Who says?

[exomondo]

X11. Also there's Java.

Well they aren't malware or exploits but in any case they both also run on Windows, so you could just lump all the operating systems together.

Re:Who says?

[exomondo]

Not maybe the iphone isn't very popular, and people aren't designing malware for it because they want to go for Fort Knox instead of a piggy bank.

If the iPhone is not very popular then what smartphone is popular?

Re:Who says?

[smash]

Data extraction isn't the only "exploit". If you can crash a program, you can offer get it to run arbitrary code with a well crafted payload.

Re:Who says?

Or just do like you should also do on ANY Windows system: don't install every dancing bunnies app you come across.

Android malware would vanish quickly, especially since the vast majority of it comes from side loaded apps that aren't installed through the Play store.

I know malware has been transferred through the Play store, but malware has also been transferred through the App store, so that's a moot point.

Re:Who says?

If you root your phone, you can easily have this ability. Granted, a lot of apps won't work when they require a permission you have disallowed, but I use that as a criteria of what apps I will allow on my devices. The quality ones always work, and will gracefully exit with a useful error code if you disallow a permission it really needs (primarily internet access, haven't had much issue with other permissions).

Re:Who says?

iPhone users tend to be less tech savvy, actually. Never allow an iPhone user who is not a programmer to root their phone; in 100% of my experiences they will get it owned with black market apps in record time. Hasn't failed even once in hundreds of instances.

Re:Who says?

Call: My last job completely banned iDevices from the network or for business use when a large group (100+) of employees all got hit by the same malware. We only kept two iPads, with ZERO apps, for testing purposes.

Re:Who says?

[Black+LED]

Check out F-Droid. While they don't have nearly as much as the Google Play store, everything they do have is open source and stripped of extraneous permissions and libraries.

Re:Who says?

How much is Apple paying you to shill like this?

Re:Who says?

[Volguus+Zildrohar]

Well they aren't malware

That's just where our opinions differ.

(just to be clear, I am joking... mostly)

Re:Who says?

It isnt like you are letting someone else control your computer, you are letting one entity vet the applications before they get to you and even then you have the ability to limit what they have access to, Google just doesnt do a very good job of that where Apple does.

"Apple ran the app for only a few seconds"
Yeah, Apple does such a good job...

Re:Who says?

If you're going to try and be funny, the least you can do is learn to spell "loser," as "looser" means something becomes less tight.

Re:Who says?

Anything running Android. Duh.

Re:Who says?

[P-niiice]

I use and love F-Droid.

Re:Who says?

[cthulhu11]

Malware for mechanized dildo machines? Phear!

Re:Who says?

This. I was reading a recent report on Android vulnerabilities and malware which stated that over 90% of all malware created targets Android OS.

the difference

The difference is that in a week Apple can have this patched and prompting users to install the update from iTunes and the springboard, complete with red notification on the settings icon.

Re:the difference

You are so funny. Apple has a long history of not bothering to patch things up or waiting 3 or 4 months before deigning to offer a patch.

Re:the difference

[AmiMoJo]

Google can roll out system patches via Play too. It does it now and again to deal with serious security issues, or provide new features. The patches can affect all versions of Android, at least as far back as 1.5.

Re:the difference

[NatasRevol]

Sweet.

Tell us how you can change the core font rendering in Android.

Re:the difference

New firmware?

Re:the difference

[NatasRevol]

LOL. Abso-fucking-lutely not.

Re:the difference

[Nerdfest]

This exploit was released because even though Apple were made aware of it quite some time ago, they didn't patch it.

Re:the difference

[gnasher719]

This exploit was released because even though Apple were made aware of it quite some time ago, they didn't patch it.

Surely this was released because someone's ego had to be satisfied by releasing it? What other purpose does it serve to release it?

Re:the difference

Android uses FreeType, which is open source just like the rest of the OS.

Re:the difference

And with Android I can patch it myself in a matter of minutes.

Re:the difference

What other purpose does it serve to release it?

Shaming someone into fixing it. Not everybody has the same motivations as you. Stop thinking that they do.

yup, it's real.

Awesome, the comments even contain the string that causes the chrome page to crash!

Typical of Apple

...The report claims that Apple has been aware of this vulnerability for six months and has yet to patch the exploit in any currently available operating system build.

Pretty well known. Even if you report a bug to Apple and they acknowledge it they will drag their feet to actually fix it. Pretty stupid given they have possibly the best digital distribution channel with updates and stuff.

Maybe it's that they are afraid of losing their "it just works" image if people notice they keep pushing patches like the rest of the industry...

Re:Typical of Apple

[jellomizer]

Or you know, perhaps there are things like actually testing to make sure the patch works across their product lines. Or evaluating the Risk of the Flaw, and decide to put it in the next update, vs just keep on patching over and over again.

I remember back when Microsoft started its security initiative back after XP was released. There were a lot of security updates and often they would end up breaking more stuff then it fixed. Because they didn't spend the time testing it.

Re:Typical of Apple

[bill_mcgonigle]

Maybe it's that they are afraid of losing their "it just works" image if people notice they keep pushing patches like the rest of the industry...

Gosh, I'd hope it would be the opposite. People do care that "it just works" but nobody expects it to be "born of perfection". Rapid response to issues would be part of "just working".

Re:Typical of Apple

[Cinder6]

It's fixed in the current iOS 7 beta.

Character-based displays FTW!

[sootman]

I am totally safe.

Re:Character-based displays FTW!

[jellomizer]

Does it do Color?

Re:Character-based displays FTW!

Yes, but not on slashdot

Re:Character-based displays FTW!

#FF0000
#FF7F00
#FFFF00
#00FF00
#0000FF
#4B0082
#8B00FF

It does the whole rainbow, baby!

iOS doesn't have exploits

[0xdeadbeef]

It has jailbreaks, and that's a good thing.

Re:iOS doesn't have exploits

[bill_mcgonigle]

I thought Apple added address space randomization back in Leopard? What happened?

Re:iOS doesn't have exploits

[gnasher719]

I thought Apple added address space randomization back in Leopard? What happened?

The problem that was reported leads to a crash. A crash is _safe_. An attacker can't gain any advantage by crashing your computer. They can merely annoy you.

Address Space Randomization cannot prevent crashes. Its purpose is to prevent crashes being turned into exploits. An attacker does two things: Find a way to make your software fail, then find a way to turn that failure into an advantage for the attacker. The second part is where Address Space Randomization comes in. The next step is Sandboxing, where even if the attacker finds a way past ASR and takes over your code, your code would be in a sandbox and can't do any harm outside.

Re:iOS doesn't have exploits

[bill_mcgonigle]

But the GP was referring to jailbreaks - I thought those were exploits "used for good"?

Re:iOS doesn't have exploits

Leopard only had library randomization. Snow Leopard had more significant ASR improvements.

Re:iOS doesn't have exploits

[gnasher719]

But the GP was referring to jailbreaks - I thought those were exploits "used for good"?

If you have an exploit, you can use it for good or evil. On the other hand, if it is an exploit where the device owner has to do things actively (like downloading an app, connecting the device through USB cable, running the app, clicking five buttons on the device) then there is no danger except the possibility of trojans, so Apple doesn't need to fix it. If it is an exploit that could be used to attack unsuspecting users, then it _must_ be fixed.

Re:iOS doesn't have exploits

[bill_mcgonigle]

Yes, but address space randomization was supposed to make those exploits (mostly buffer overflows) obsolete, regardless of their intent. Clearly that didn't work if there are still jailbreaks and/or other exploits.

Re:iOS doesn't have exploits

[iiiears]

What about a heap spray attack?

For crackers a system crash is an invitation to explore what is possible. Is there more specific information available? Uninitialised pointers etc are very worrisome..

Re:iOS doesn't have exploits

You seem to have a problem with unrealistic expectations. Who ever said that ASLR was supposed to make buffer overflows "obsolete"? Nobody who actually knew anything about security. ASLR is a second line of defense, no more, no less. It merely makes it harder to craft a working exploit from bugs like buffer overflows, but not impossible.

It's about realism and defense in depth. The idea is that you accept that perfect security is impossible, so how about designing a deep system which attempts to limit or contain the damage whenever a line of defense fails? The first line of defense is everything an attacker can see from the outside, including application code that might have buffer overflows etc. ASLR is a second line which attempts to harden defenses in a generic way. But it's hardly the only line. For example, in iOS, sandboxing is a third line of defense designed to contain the damage when attackers figure out ways around ASLR.

Your other problem is that you started this subthread by responding to a dumbass as if he had a valuable point. Sorry, 0xdeadbeef, jailbreaks actually are exploits, which is why Apple shuts all of them down in the long run. They're not as aggressive about local-only jailbreaks which require physical presence, simply because those aren't as serious a problem for their end users as the remote exploits which permitted the construction of websites to jailbreak your phone by clicking a link, but they still close them off in the end. Every last one of them is in fact an exploitable security hole, by definition.

Re:iOS doesn't have exploits

[bill_mcgonigle]

It merely makes it harder to craft a working exploit from bugs like buffer overflows, but not impossible.

As I understood it, without being able to predict any addresses you were not able to get your exploit to jump to a good address to attach shell code to. But I'm not an exploit writer - I was hoping somebody could explain why that isn't working as a deterrent, but it sounds like I'm asking on the wrong board today.

Re:iOS doesn't have exploits

[Animats]

It merely makes it harder to craft a working exploit from bugs like buffer overflows, but not impossible.

Right. Address space randomization is a form of "security by obscurity". There are "spraying attacks" which try patching multiple likely locations. If you can execute some kind of code on the target machine in a sandbox environment like Javascript in a browser, and also have an exploit which gets you down to the machine level, you can have Javascript which searches for the right place to patch.

Address space randomization has the downside of making bugs less reproduceable, making it easier for developers to deny their existence and refuse to fix them.

Le sigh.

[girlintraining]

Okay, am I the only one that thinks that if you can't design something that renders text onto a screen without it turning into the Ocean's Eleven of computer security, you're doing it wrong? Be honest now guys. I can understand this in something that needs to interpret complex animations of dancing toilet paper flying across my screen screaming "Buy meeeee, pleeeeeeease!" -- I don't approve, but I can see how someone could screw it up.

But text... really guys, I mean, really?

Re:Le sigh.

[smash]

Security in non-trivial code is hard. People insist on writing stuff in C and other "hard" languages. And this is the result. We probably should have switched to Ada a long time ago. Oh noes it is 10% slower = no excuse. Just buy the 2.2ghz machine instead of 2ghz.

Re:Le sigh.

[Derek+Pomery]

Did you know that TTF fonts are turing complete?
http://en.wikipedia.org/wiki/True_Type_Font#Hinting_language

"It really worries me that the FreeType font library is now being made to accept untrusted content from the web.

The library probably wasnâ(TM)t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and itâ(TM)s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.

It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C⦠The code is extremely hairy and hard to review, especially for the VM."

http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/

Re:Le sigh.

[UnknowingFool]

Um this isn't fixed ASCII text. Dynamic scaling fonts like TrueType ones are almost images especially with internationalization. You might think printing out "A" is easy but you don't see that the device had to scale that A to a certain size and draw it differently depending on the dimensions proscribed by the font definitions (Serif, Sans Serif, Cursive, Italic, Bold, etc). Also if you want to do any business in places like China, your font rendering engine better be able to handle the complexity. Not to say that bugs shouldn't be there but it's not as easy as you think it is.

Re:Le sigh.

[girlintraining]

Did you know that TTF fonts are turing complete?
http://en.wikipedia.org/wiki/True_Type_Font#Hinting_language

That doesn't excuse the fact that it's totally unnecessary. They've created an entire virtual machine for the sole purpose of font rendering. Doesn't that strike you as just a little bit over the top? Text is just symbols arranged on the screen -- I'm certain better ways of doing this could be imagined that wouldn't require an exploitable VM with root permissions.

I don't care if it's turing complete or not, it's irrelevant. They've taken one of the most basic functions of a computer and managed to overly-complexify it to the point that it needed administrative permissions to do its job. This is like using a nuclear-powered hand drill! It's completely retarded, and when it melts down, it takes the entire city with you, instead of just a 2x4 and a nail.

Re:Le sigh.

>Just buy the 2.2ghz machine instead of 2ghz.

Looks like somebody's stuck in the 00s. Did you consider most code Apple writes is going to be run on mobile devices whatever that may be from Macbook Pro to iPhone? Nobody wants to waste 10% of their battery just so the programmers don't have to know how to use pointers...

Re:Le sigh.

[iluvcapra]

Desktop publishing has used embedded, Turing-complete languages for decades -- TeX is Turing-complete, as is XSLT. It's the best and most compact way of specifying an abstract image for a generic rasterizing displays of arbitrary resolution.

Re:Le sigh.

[wiredlogic]

worries me that the FreeType font library is now being made to accept untrusted content

Freetype has an auto-hinting engine originally developed to get around the TTF hinting patent. It is possible to configure FT to never interpret the hinting bytecode at all.

Re:Le sigh.

[tibit]

Sigh. Fonts are programs, and have been, for a long while now. Is that news to you? You must have never seen what it takes to actually render a font not to understand that. Be thankful those are not postscript fonts, because those would have been even harder to implement safely. The TTF hinter execution environment is much simpler.

Re:Le sigh.

[VortexCortex]

Okay, am I the only one that thinks that if you can't design something that renders text onto a screen without it turning into the Ocean's Eleven of computer security, you're doing it wrong? Be honest now guys. I can understand this in something that needs to interpret complex animations of dancing toilet paper flying across my screen screaming "Buy meeeee, pleeeeeeease!" -- I don't approve, but I can see how someone could screw it up.

But text... really guys, I mean, really?

I really get where you're coming from... However, Unicode is a PITA to implement, what with multiple glyphs for compositions / decompositions and BIDI (text direction rules) -- which change depending on paragraph direction and state machine. That's just the character encoding! To actually render the fonts there's a tiny VM that decodes the glyphs and handles sub-pixel hinting, etc. A bitmap ASCII (CP437) font? Done. I can crank one out in an hour, tops... Unicode w/ TrueType or FreeType? Ugh. I mean, just getting the character property tables from the Unicode site downloaded and transformed from CSV to the format we need is a project in of itself. The bugs in every last 3rd party library ever encountered (even libPNG), I'm hesitant to use other's code unless I have to (I have a higher standard -- input fuzzing, code coverage and unit testing for everything), but bugs in today's text rendering systems aren't just expected, they're a given -- It's literally the first thing I attack, and almost every time it works against new code: embedded invalid surrogate pairs, and over-long forms.

Ah, but everyone's doing it wrong but you? Well, let me tell ya something: If you set out to make the closest to the metal compilable language that's not ASM, it'll work just like C does (C is a product of the architecture more than anything). Same goes for making a minimal font rendering system that covers all the world's languages -- Try it, it'll end up almost exactly like TrueType & Unicode because they're products of their environment too.

Now, that's not to say I don't agree with you to some extent. I'd say humans need to ditch all the BS and start from scratch to create a language that's easy to OCR with syntax and grammar that's extensible and non ambiguous and thus interpretable by machines. Do that and "natural language processing" is a no-brainer (literally). We get away with as few as 16 glyphs for the Virgon (Galactic) language -- Designed for ease of deciphering from examples using mathematics, incrementally graduating up to a small Von Neumann "VM" and then including "instructional" programs to then teach the rest.... So, yeah, you damn dirty apes did do it wrong, but if your sunk cost fallacy doesn't keep you doing it wrong you'll be the first lifeforms in the Super Cluster to do it right before you've solved the Fermi Paradox.

Re:Le sigh.

[girlintraining]

Desktop publishing has used embedded, Turing-complete languages for decades -- TeX is Turing-complete, as is XSLT. It's the best and most compact way of specifying an abstract image for a generic rasterizing displays of arbitrary resolution.

No, it's not the best way; It has handed someone a root exploit. And it isn't the most compact way either -- because obviously it grew to such complexity that it became part of the kernel. These are design failures. If you cannot figure out a way to put pixels on the screen without getting yourself rooted, you're doing it wrong.

Re:Le sigh.

Have a Snickers. You're raging today.

Re:Le sigh.

It's necessary if you want to do fonts beyond monospaced ASCII. Rendering type on a low-resolution screen, while still making it look like the actual printed output, is extremely difficult. And yet that's exactly what graphic artists, who are Apple's most loyal customers, are most concerned with.

You can't just use a simple scaling algorithm to render a letterform into a 12-pixel-high version of itself and call it a day. It'd be blocky and curves would get chopped off, so you'd have open O's and B's and such, and you'd have weird whitespace in between certain letters. So fonts have elaborate hinting rules, with if-then conditions and everything, to handle all the cases of point sizes and scale factors and styles. And then you need to support combined characters forming composed glyphs, characters represented by different glyphs based on which characters they're adjacent to, non-RTL ordering, and about a million other gotchas.

That's why LaTex doesn't even try to render to the screen. It's hard.

Re:Le sigh.

[Kielistic]

Until someone gives us a better way I think I'll take the word of experts in the field over yours.

Re:Le sigh.

[tlhIngan]

But text... really guys, I mean, really?

Obviously someone who thinks Unicode is just an extended character set. Unfortunately, it isn't, and it's why characters are referred to as "codepoints" (because you may need multiple codepoints to actually produce a character).

First comes the many ways of expressing a codepoint as a string - UTF-8, UTF-16, UTF-32 are just the most common variations (and there's also the whole big and little endian thing). And there's plenty of reasons why you'd want say, UTF-16 over UTF-8 (especially if you want to move backwards through text).

Next is to support the expressiveness, Unicode has a LOT of character modifier values - things like right-to-left override (after that character, text is forced to be printed right to left), applying diacriticals and other such embellishments on text. For one character printed, you can easily have half a dozen or more codepoints associated with it. (Note: This also makes copy and paste hard, because while the user may have only selected 1 character, that one character may have a few codepoints associated with it).

And don't forget all sorts of typography related things that need to be done - hinting/leading/kerning needs to be done in order to at least make the text presentable. It's why TeX was created - because the general state of computer generated text and typography was degrading compared to traditional manual typesetting.

About the only way to make it "easy" is to abandon Unicode for ASCII and to enforce everything to be monospaced font. Which generally makes text look ugly.

Re:Le sigh.

Desktop publishing has used embedded, Turing-complete languages for decades -- TeX is Turing-complete, as is XSLT. It's the best and most compact way of specifying an abstract image for a generic rasterizing displays of arbitrary resolution.

No, it's not the best way; It has handed someone a root exploit. And it isn't the most compact way either -- because obviously it grew to such complexity that it became part of the kernel. These are design failures. If you cannot figure out a way to put pixels on the screen without getting yourself rooted, you're doing it wrong.

It's the best way, because it's the only way to effectively lay out type. There isn't a safe, simple way.

Okay, I lied, there is: use a typewriter. Guaranteed no risk of compromise there.

Re:Le sigh.

[iluvcapra]

Well, CoreText isn't in kernel, it's a library, and the exploit just allows crashes in userspace, not actual "rooting." Your account of the computer science involved is pretty terrible, in particular your conflation of any runtime environment and a privileged execution environment, and your confusion on the meaning of information-theoretic compactness. Your blanket condemnation of 30 years of desktop printing technology, the implementers of PostScript, and Donald Knuth(!) is also somewhat concerning.

But aside from that I would like to subscribe to your newsletter.

Re:Le sigh.

[quacking+duck]

Okay, am I the only one that thinks that if you can't design something that renders text onto a screen without it turning into the Ocean's Eleven of computer security, you're doing it wrong? Be honest now guys. [...]

But text... really guys, I mean, really?

Slashdot, one of the geekiest sites with sysadmins who are should know how to do it right... doesn't even *allow* Unicode, apparently due in part to some spoofing or other security risks.

Never mind "doing it wrong", Slashdot isn't even *trying*. There should be no excuse after all this time. It's just text, after all. Right?

Or perhaps modern text processing/rendering is much more complex and complicated than you think.

Re:Le sigh.

[lennier]

Did you know that TTF fonts are turing complete?

That's not any kind of excuse. Turing-completeness in itself need not imply that code should be able to break out of its execution environment.

It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C⦠The code is extremely hairy and hard to review

Yes, and that such a fundamental piece of code should be in such an awful state is pretty much exactly a summary of what's wrong with the software industry.

Any foundational platform library must reviewable and provable to be correct. I don't care how "hard" this to do because the Internet does not care. The Internet is going to crash your code if it is crashable and you connect it to the Internet. And your code and everyone who uses your code is going to get destroyed. That's all there is to it. Be provably correct, or get rooted.

If your code is so complicated that no human can prove it is correct, then your code is wrong, period. Either your language is wrong, or your architecture is wrong, or the way you've broken it down into components is wrong. If you're using C++, then your language is actively fighting against your attempts to prove correctness. If your architecture allows you to pass random unchecked raw memory pointers around and potentially execute them, then your architecture is also working to betray you. But just because these elements of the design are outside your control as a programmer doesn't mean that they aren't still wrong.

Unfortunately we've now invested so much effort into building not-provably-correct broken programs on top of broken languages and architectures that the security problem is likely to be with us forever. So, um. Good luck on the Internet, everyone. The asteroid arrives Tuesday.

Re:Le sigh.

[smash]

Looks like someone can't understand the concept of an example for the sake of making a point. I'm sure most people would much rather have a device that doesn't crash and doesn't get hacked, than gain 10% in speed.

Re:Le sigh.

[smash]

Btrw... android running a JVM does exactly that - wasting battery so that programmers don't have to know how to use pointers. Seems to be quite successful.

Re:Le sigh.

[dkf]

I'd say humans need to ditch all the BS and start from scratch to create a language that's easy to OCR with syntax and grammar that's extensible and non ambiguous and thus interpretable by machines.

You want us all to switch to Marain to enable hyperintelligent starships and a left-wing intergalactic paradise? Sounds cool to me.

Re:Le sigh.

[TheRaven64]

They've created an entire virtual machine for the sole purpose of font rendering. Doesn't that strike you as just a little bit over the top? Text is just symbols arranged on the screen -- I'm certain better ways of doing this could be imagined that wouldn't require an exploitable VM with root permissions

Spoken like someone who has never actually written code to display text. Sure, with monospaced bitmap fonts, this is an easy problem. For modern text, you start off with a set of bezier paths representing each glyph. That's fairly easy to render, and you can just start drawing each one to the right of the previous one. That will give you blurry characters with ugly spacing, but it's a start.

So how do you fix the blurriness? Now you need some hinting telling the renderer when it should try to snap lines to the nearest pixel rather than approximate it and just rely on antialiasing. Oh, and those hints have to work on every combination of point size for the font and pixel size for the display (and, ideally, for different sub-pixel layouts) and so they're heavily parameterised. Doesn't need to be quite Turing-complete yet, but you're getting very close to Lambda calculus, although you can get away without recursion.

But you still have spacing problems. Consider this trivial example: To. Now, in your naive approach, the left hand side of the o is the same distance from the right hand end of the cross-bar of the T. This distance will be the same as the distance between characters in nm. If you see this at the start of a word, like Tool, then it will look like there is more space between To than between oo or ol and that's ugly. So now you need some kerning hints that tell you how to tweak the spacing for each pair of letters, and these need to be parameterised over every pair of letters. For a simple ASCII font, that's 2^14 combinations, so you don't want to list them individually, you need to compute them.

And that's just very basic letter layout. On a typical window, you may have thousands of characters, which all need to be laid out correctly (and deterministically, so characters don't jump around on every redraw). And so this is on the fast path. Is it surprising that it ends up in the fast path?

Both Windows and *NIX have had serious exploits involving font rendering. X used to put FreeType in the X server (which ran as root), windows used to put an equivalent in the kernel. Both have resulted in vulnerabilities from documents that embed fonts. When you have something that's performance critical (slow text rendering translates to slow window updates, which directly translates to user-perceived slowness) and depends on user-provided data, it's not surprising that there are security holes. X11 now moves font rendering to the client (although, like Quartz, it composites the glyphs on the server), so a font exploit doesn't get you root, it just gets you arbitrary code execution in your current application, for example the web browser.

Re:Le sigh.

All that trouble, and an old fashioned screen font still looks better.

So much better in fact, that anti aliasing has become popular, even though it requires a retina screen to not look blurry.

Re:Le sigh.

[TheRaven64]

All that trouble, and an old fashioned screen font still looks better.

Sure, as long as you only ever have one screen DPI to deal with and only need to support a small number of font sizes and don't ever need to print. Of course things look better if you draw them for the exact output format that you're targeting.

Re:Le sigh.

[Derek+Pomery]

FWIW, you don't *have* to use Java for coding on Android, just like you don't have to use objc for coding on iOS.

Our game has a Java frontend (that's needed) but the game library and the libraries it bundles with (sdl, physfs, netlib), are C (or in the case of the game engine, pascal).

And ofc most of Android itself is absolutely not Java.

For UIs, you can use pretty much anything, even Javascript. They aren't really that demanding...

Re:Le sigh.

[Derek+Pomery]

It was more a response to the simplicity of text rendering parent post...

Re:Le sigh.

That doesn't excuse the fact that it's totally unnecessary. They've created an entire virtual machine for the sole purpose of font rendering. Doesn't that strike you as just a little bit over the top? Text is just symbols arranged on the screen -- I'm certain better ways of doing this could be imagined that wouldn't require an exploitable VM with root permissions.

How is it that you don't get modded "-1, stupid / anti-informative / losing your shit over nothing" all the time? Seriously, whenever I see "girlintraining" I know exactly what's likely to come next: angry noise about problems which exist only in your head.

Root permissions? There isn't any of that involved here. Hint: "virtual machine" doesn't always mean it's a virtual machine monitor capable of hosting an entire operating system. In this case it's a simplistic virtual CPU whose entire scope is shifting control points. As in, the only data visible to code running in a TTF "VM" is font outline vertices, a target pixel size, and a few scratch registers, and the only way it can influence the outside world is by emitting a modified form of those vertices (ideally something which will look better when the rasterizer generates a bitmap at the target pixel size). It's "Turing complete" only in the sense that it does implement branching and other constructs, so in principle if you extended it a bit to permit access to infinite memory it could compute anything.

You're completely out to lunch with this garbage about it needing "administrative permissions". TTF hinting can be implemented with a really dumb interpreter since performance isn't too important (this isn't code which runs every time you draw a character, it's run once when setting up to draw a font at a given point size). Advanced techniques like JIT (which would require privileges) are completely unnecessary. TTF hinting can and does occur entirely in the context of an ordinary userland process.

Also, TT and its bytecode hinting system debuted in 1991. It had to run (and run well) on sub-8MHz 68000 processors. So stop assuming this is some crazy heavyweight system invented by know-nothings killing flies with cannons.

FINALLY, absolutely none of this is even relevant to the crash! It isn't caused by malicious TTF bytecode. It's a letter sequence which crashes the Core Text rasterizer in iOS/OSX when using a font that comes pre-installed on the system.

Re:Le sigh.

Ah, but the hyperintelligent starships running the paradise would never insist that you speak Marain. They'd offer you personalized real-time translation if you wanted to be a part of the Culture without actually learning the language.

Re:Le sigh.

p.s. fucking bastard cancer. RIP Iain M. Banks.

Re:Le sigh.

[mcgrew]

I just now saw your comment while metamoderating, that was an excellent comment. The two guys who modded you up did well.

A bitmap ASCII (CP437) font? Done. I can crank one out in an hour, tops

You're better than I ever was, then. Of course, my tools were primitive. That took me back to 1984 when I discovered that the video circuit in Radio Shack's MC10 was capable of NTSC standard format quality video (but only in 8 colors) and decided to write a graphics program for it. It was great fun.

Anyway, I decided to add text capabilities to the drawing program, and it took a hell of a lot longer than an hour. I mapped it out on graph paper first, which took hours in itself and probably an hour to input the codes.

Since I'd made it so you could print your artwork on it's plotter, I eventually made it into a word processor. In 20k running on a 6802 chip IIRC.

Primitive times, a year later when I was looking for work the guy who interviewed me bragged about his mainframe, which had a whopping two megabytes of memory. I didn't get the job.

I haven't done any "real" programming since they ditched NOMAD and dBase and switched to MS Access at work ten years ago. Yech, glad I retire next year.

Windows affected too?

[AmiMoJo]

The Windows versions of iTunes and Safari include the MacOS font rendering code so that they look identical to the Mac versions. If the code is vulnerable it seems that those applications may also be vulnerable, although at least it's an app level problem and thus not as serious.

Here's a link to the crasher string in question

Here's a link to the crasher string in question:

http://pastebin.com/kDhu72fh

(warning: will crash Safari on OS X 10.8. Firefox doesn't crash.)

Re:Here's a link to the crasher string in question

An example of the "offending string" itself, dumped to hexadecimal, is:

d8 b3 d9 85 d9 8e d9 80 d9 8e d9 91 d9 88 d9 8f d9 88 d9 8f d8 ad d8 ae 20 cc b7 cc b4 cc 90 d8 ae 20 cc b7 cc b4 cc 90 d8 ae 20 cc b7 cc b4 cc 90 d8 ae 20 d8 a7 d9 85 d8 a7 d8 b1 d8 aa d9 8a d8 ae 20 cc b7 cc b4 cc 90 d8 ae 0a

have Webkit interpret that as UTF-8 characters to see the fun.

Re:Here's a link to the crasher string in question

[Cinder6]

Confirmed Safari crash on 10.8. However, on iOS 7, it does not crash. It looks like this will be patched on mobile within the next couple of weeks. I can't test iOS 6, so I'll take others' word for it.

Re:Here's a link to the crasher string in question

" " I removed one character so it shouldn't be "active". I put it into google translate, Smoouhkh x-x-x Amartykh is output - A NAME?

Re:Here's a link to the crasher string in question

Here's a link to the crasher string in question:

here

(warning: will crash Safari on OS X 10.8. Firefox doesn't crash.)

Fixed the link and...
It's just a mash of Arabic? Wow, that's anticlimactic. I was expecting something to actually employ the weird characters, but Apple has left itself vulnerable to random plaintext in a foreign character set.

Re:Here's a link to the crasher string in question

[femtobyte]

I suppose the "weird stuff" in there might be the block of U+03XX "combining diacritical" marks; so the string requires sticking a bunch of diacriticals over Arabic characters (which might invoke whatever fancy part of the code is broken). Someone with more time could play around with reducing this to a more "minimal" crash example.

Re:Here's a link to the crasher string in question

I suppose the "weird stuff" in there might be the block of U+03XX "combining diacritical" marks; so the string requires sticking a bunch of diacriticals over Arabic characters (which might invoke whatever fancy part of the code is broken).

Except, that's how Arabic works. Not using combining diacritical marks in Arabic would be almost the same as nt sng vwls n nglsh.

Re:Here's a link to the crasher string in question

[femtobyte]

However, is this particular combination of combining diacriticals a "valid" one in Arabic? The U+03XX diacriticals are "general use" and not Arabic-specific, so this might be an unusual (or even "invalid") combination in Arabic orthography (which I don't know much about). Note, I seem to be able to get the crash just with the two characters + diacriticals "\xcc\xb7\xcc\xb4\xcc\x90\xd8\xae \xcc\xb7\xcc\xb4\xcc\x90" (tell python to print that in Terminal.app under OS10.8.2 kills Terminal.app...). Is this a combination that should occur in "ordinary" Arabic text?

Re:Here's a link to the crasher string in question

[Smurf]

Yes, TFS fails to mention that both of TFA's specifically state that neither iOS 7 nor OS X 10.9 Mavericks are affected by the bug.

Re:Here's a link to the crasher string in question

Doesn't matter if it should occur or not, it's valid use case.
Countless items that are not orthographic get used anyhow for emoticons, and business-signages.
And with some languages, keyboards output 0x3xx codes directly rather than dead-keys now, makes it easier to type in things for twitter.

I've often put 0x3xx codes with japanese, and symbols, and with random english letters as well. For effect. underlining a word for a tweet; slash-through a symbol or japanese text.
I've even misused arabic and ogham characters with language specific diacritics (non general use) to make some amusing smilies.
the o_o with the kannada symbols that look like disgruntled eyes... add ` and ' to them to give eye brows, and combining underbar below for a goatee :3

Re:Here's a link to the crasher string in question

[femtobyte]

Right, I'm not trying to excuse Apple --- this is a bug, and shouldn't happen. However, it's maybe something a bit more subtle than "crashes on Arabic plain text," which would have been caught much more quickly. The AC above (assuming you're the same one?) was "disappointed" that this wasn't using "weird characters" --- but stacking a bunch of diacriticals not normally used with the script (the Arabic block apparently contains its own diacriticals) in an invalid way is getting pretty "weird." The breakdown of the problematic string, reduced to a minimal example that causes problems, is:

d8ae normal Arabic character
20 space
ccb7 ccb4 cc90 three diacriticals from outside the Arabic block, stacked atop a "space" character right after switching from Arabic diacritical handling

how much more "weird" were you hoping for?

Re:Here's a link to the crasher string in question

[ArsenneLupin]

Kudos for this, yes this works with a Mac. And the advantage over the original codes: it's short enough to use as a Wifi ESSID...

Re:Here's a link to the crasher string in question

[ArsenneLupin]

For extra fun: define this as an Ad-Hoc network on your phone.

Indeed, some phones automatically pick up all ad-hoc network within reach, and add them to their own list of advertised networks, spreading this on. Obviously, this spreading only works on non iOS phones, but if well done this could soon make iOS phones useless in crowded places...

"Nefarious users to"

[Spy+Handler]

if the attacker has physical access to your machine, you're already toast.

Good thing Slashdot doesn't support Unicode!

Otherwise someone would post it in the comments here and crash iPhone users' browser!

Re:Good thing Slashdot doesn't support Unicode!

[ArsenneLupin]

But Facebook and Twitter do...

https://zhovner.com/tmp/killwebkit.html

Re:Good thing Slashdot doesn't support Unicode!

[ArsenneLupin]

Actually, facebook doesn't. I accidentally had downloaded the magic terrorist mantra using curl in a konsole, from which I copy-pasted it into Facebook. However, konsole must have stripped its magic vibes...

After I retried it by visiting the URL with Firefox, and copying the contents from there to Facebook, I got "This message contains content that has been blocked by our security systems.

If you think you're seeing this by mistake, please let us know."

... but Twitter still took it!

Re:Good thing Slashdot doesn't support Unicode!

[ArsenneLupin]

Actually, facebook takes it too, but it takes somewhat more smarts: just set up a web page, enter the magic terrorist thread as the <title, and post a link to the web page to Face book. As Facebook enters the title itself, it will not scan it for any "forbidden content", and presto!

I still don't know what this Arabic sentence means, but I tested it with Safari on a Mac, and indeed, it goes kaboom as soon as I visit my Facebook page!

Can vs. Will

[SuperKendall]

Google can roll out system patches via Play too.

Will they for a vulnerability that spans v2.x to 4.x?

CAN they across every single Android device?

The difference is that currently well over 90% of devices are running iOS6...

Re:Can vs. Will

[AmiMoJo]

Yes and yes. For example they recently rolled out a system update for the app signature spoofing vulnerability and every version of the OS got it, on every device with Google Player (i.e. 99% of them, only major forks like Amazon's Kindle OS was not covered).

Re:Can vs. Will

[exomondo]

Yes and yes.

From what I've seen the answer is actually no. They issued a patch to the OEMs which then are responsible for patching handsets. Also AFAIK the update issued via Google Play was to patch Google Play itself to scan for this issue, it didn't patch Android:

"Google Play scans for this issue – and Verify Apps provides protection for Android users who download apps to their devices outside of Play"
http://9to5google.com/2013/07/09/google-patches-android-to-block-application-signature-vulnerability/

String

The string that causes the crash is "Ballmer new Apple CEO".

Re:Whew ...

Are there any Android tablets released around January 2010 that can be updated?

Do I even have to put in a date?

Please tell me....

[Lumpy]

That this can be used to get an ATV 3 cracked

Re:Whew ...

One of the first Android tablets (and possibly the first to be worth a damn), the original Galaxy Tab, is upgradable to 4.2 (with 4.3 on the way):

http://get.cm/?device=p1

Re:Whew ...

[Steve+Max]

From the same time frame, the encore (B&N Nook Color) is 100% supported on CM10.2 (or Android JellyBean 4.3):
http://get.cm/?device=encore

Brings me back to the days of AOL.

Ah, I remember when AOL allowed HTML formatting, and inputting a near-infinite font size in hexidecimal( "fffffffffffffffffffffffffffffffff" or larger )in an email or "IM" text would crash the computer.
Also, a similar bug for "font color ="

no one ever suspects the font!

The myth of the equal opportunity attacker

[benjymouse]

Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?

Attackers will *always* try to attack the biggest target. They are not for equal opportunity, they do not meet to work out quotas so that OSes gets attacked accordingly to their market share.

Say you joined a shooting competition: You can shoot at two targets, equal size and equal distance, no objective difference at all. Only difference is that each time you hit target A four people will give you $10 each and each time you hit target B only one person give you $10. You have 10 rounds. How do you distribute your rounds between the two targets? Do you fire 8 shots at target A and 2 shots at target B because that would be the most fair thing to do, or do you fire all 10 shots at target A?.

Maybe, just maybe, there's more to it than market share.

There might be. When you see people start taking shots at B, despite the higher reward of hitting target A, you can conclude that some factor causes them to *not* go for the higher reward. Somehow target A must have become harder to hit, the reward is going down or the shooters skills allow them to hit target B more easily.

But all other things being equal, prudent attackers who are in it for the rewards will go for the higher market share, every time.

Re:The myth of the equal opportunity attacker

Attackers will *always* try to attack the biggest target. They are not for equal opportunity, they do not meet to work out quotas so that OSes gets attacked accordingly to their market share.

That is far too absolutist. Consider a reductio ad absurdum. Assume one vendor has 49.9% and the other 50.1%. Would the attackers all be targeting the 50.1% platform? If the tables turned would they all switch to the new majority platform? No. Both of those ideas are dumb. If all else was equal, they would've been attacking both platforms all along, and would continue to do so even if things shifted to 60/40 or 70/30.

Attackers will attack wherever they perceive a viable way to make money. iOS is more than big enough to be an attractive target for hacking, especially when you consider the user profile (noticeably more likely than the average Android user to heavily use internet services, purchase applications, and so on). But there are some rather obvious technology / ecosystem differences which make it much more difficult for malware creators to target iOS:

1. Every app is sandboxed to the extent that it's hard to even share data files between apps.
2. Short of jailbreak, there is only one way to get apps, and Apple controls it.
3. Apple puts apps through much more independent review than any Android app gets from anybody.
4. The instant it's clear a rogue app got past review, Apple can pull it from the app store and new infections stop. If it's something really bad they can remote killswitch it.
5. Apple does a spectacular job at keeping its userbase on the latest OS version. As of June of this year something like 90%+ of users were on iOS 6 (the latest), and the rest were mostly 5.x. Most Android users rely on carriers for OS updates, and carriers tend to just not bother with them as they'd rather push you towards a new phone to get a new OS.

All of these policies are routinely derided as Apple wanting DRACONIAN CONTROL OVER USERS blah blah blah (insert massive tinfoil rant). That's all noise. It's actually about security. It's definitely an inconvenience -- the file thing, for example. And how many stories have we all read about developers having to jump through silly hoops thanks to hiccups in the app approval process? But in the end it does actually work. It's not impossible to write iOS malware, but it's much more difficult.

Which brings us back to the "attackers are rational" angle. Rational attackers think about risk versus reward, and by "risk" I don't mean the risk of going to jail but rather how much development time is being put on the line, the time window over which an exploit will remain viable in the field, and so forth. When you look at it in those terms, that's when it becomes clear why attackers don't bother with iOS. The potential monetary rewards are there, but the risks are high. The average exploit will likely require more time investment, and the probability of it remaining viable in the field for months to years is essentially zero thanks to Apple's update policies and total control over app distribution. Android and Symbian are low-hanging fruit, so that's where they focus their efforts.

Re:The myth of the equal opportunity attacker

[exomondo]

Attackers will *always* try to attack the biggest target. They are not for equal opportunity, they do not meet to work out quotas so that OSes gets attacked accordingly to their market share.

Ok then so if iOS has 13.2% marketshare then why does it only get 0.7% of the smartphone malware and the remaining 20.3% of smartphone malware is targeted at the remaining various players that make up just 6.8% of the marketshare?

C buffer overflow again.

[Animats]

It's written in C and it's a buffer overflow exploit, right?

We warned you. You didn't listen. Now suffer.

Re:C buffer overflow again.

[gnasher719]

It's written in C and it's a buffer overflow exploit, right?

It's a crash. It's not an exploit. Therefore you are wrong, it is not a buffer overflow exploit.

Jailbreak

[hawkbug]

Great. So when is the next jailbreak for 6.1.4 coming out?

Bad, bad, bad...

Whatever you guys do, do NOT post the link (http://pastebin.com/kDhu72fh) to your Facebook feed!
Facebook shows textual preview of the page and... Yah... Exactly. ;-)

The best part: Just name your Wifi network the

[ArsenneLupin]

The best part: Just name your Wifi network the exploit string:

Safari is also impacting by the bug, and naming a Wi-Fi network with one of the strings of text can cause an error while an Apple device is scanning for networks.

So, just buy a couple of inexpensive Wifi mini routers, hook them up a battery pack, and place them near apple user watering holes, sit back and watch the fun...

Re:The best part: Just name your Wifi network the

[ArsenneLupin]

Oh, and to get the magic string:

curl https://zhovner.com/tmp/killwebkit.html

I'd paste the actual terrorist string into this comment, but unfortunately, Slashdot's Unicode handling TSAs it... :-(

Re:The best part: Just name your Wifi network the

[ArsenneLupin]

Although Slashdot TSA's the magic sesame, Facebook and Twitter do not... So, let's just wait for the first angry iOS users to peep up.

Just let's hope that I didn't fall for the Arabic equivalent of a Japanese tattoo prank tough...

Re:The best part: Just name your Wifi network the

[ArsenneLupin]

O, and when pasting the contents of killwebkit.html into Twitter or other social media, be sure to visit the site using your web browser, rather than downloading it via curl. Indeed, some terminal programs, such as konsole tend to strip off its voodoo...

Re:The best part: Just name your Wifi network the

[ArsenneLupin]

Oops, too long for a Wifi ESSID, unfortunately :-(

Re:The best part: Just name your Wifi network the

[ArsenneLupin]

Fortunately, there are shorter sequences that work too...: Slashdot post outlining a 15 byte sequence

Re:The best part: Just name your Wifi network the

[ArsenneLupin]

Confirmed with a colleague's iPhone: yes, the presence of such an ESSID in the room prevents him from joining any new Wireless network... W00t!

Re:The best part: Just name your Wifi network the

"ArsenneLupin's" posts on this topic, translated: "Lookit me lookit me I'm a giant asshole with a hardon for harassing random strangers just because they picked a hardware vendor I don't like!!!11!! Oh please oh please slashdot notice me and how brave and wonderful I am for turning a bug into a DoS against Apple sheeple!"

Grow up, dude.

Re:Whew ...

As others have shown you, the first Android tablets can run Jelly Bean (either 4.2 or 4.3), so you're positively full of crap. Also, there was no iOS tablet on the market around January 2010 (the iPad was released around April, and the first Android tablets are from October).

ØÙ...ÙZÙÙZÙ'Ù&#

ØÙ...ÙZÙÙZÙ'ÙÙÙÙØØ® ÌÌÌØ® ÌÌÌØ® ÌÌÌØ® ØÙ...ØرØÙSØ® ÌÌÌØ®