Slashdot Mirror
CoreText Font Rendering Bug Leads To iOS, OS X Exploit
redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."
I am totally safe.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
The Department of Homeland Security and FBI.
Do you even lift?
These aren't the 'roids you're looking for.
It has jailbreaks, and that's a good thing.
Was going to post that but you beat me to it. The details:
Headline: "Four Out of Five Malware Menaces Choose Android"
80%? They make it sound so close! It's actually 100:1 for Android:iOS: "Android was targeted by an astonishing 79 percent of all smartphone malware that year... iOS was targeted by 0.7 percent of malware attacks."
The rest? Windows Phone and BlackBerry, 0.3%; Symbian, 19%.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Targeted != exploited. They're both targeted, just android is a lot easier to exploit because there is so much junk out there without any updates.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The Windows versions of iTunes and Safari include the MacOS font rendering code so that they look identical to the Mac versions. If the code is vulnerable it seems that those applications may also be vulnerable, although at least it's an app level problem and thus not as serious.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Here's a link to the crasher string in question:
http://pastebin.com/kDhu72fh
(warning: will crash Safari on OS X 10.8. Firefox doesn't crash.)
The freedom to allow apps permissions for you system brings risks. Read the permissions screen before clicking 'allow', folks.
if the attacker has physical access to your machine, you're already toast.
Did you know that TTF fonts are turing complete?
http://en.wikipedia.org/wiki/True_Type_Font#Hinting_language
"It really worries me that the FreeType font library is now being made to accept untrusted content from the web.
The library probably wasnâ(TM)t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and itâ(TM)s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.
It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C⦠The code is extremely hairy and hard to review, especially for the VM."
http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
I do; but its more like ... Find something that looks really good, then look at all the permissions it wants; but it shouldn't need all those permissions!! Feel sad about it and then don't install it unless drunk.
Otherwise someone would post it in the comments here and crash iPhone users' browser!
Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?
Maybe, just maybe, there's more to it than market share.
"... it fell 3% in marketshare in just the last three months..."
iPhone sales ALWAYS drop this time of year because everyone knows a new one is coming this Fall. It'll be back up in another few months... and then maybe down again, and then up again...
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Well that would be logical wouldn't it, given that Android is a more widely used platform
Not only that, it has a checkbox to allow you to install unsigned apps from uncontrolled websites.
Unsurprisingly, bad people upload malware to those sites. If you download it and click "yes", you'll get what you deserve, just like installing randomly downloaded exe files on PCs, etc.
No sig today...
Exactly! Apple's never been a big enough target or had enough users to make anyone want to hack them. As for those Apple (l)oosers? Just think how boring their lives have been for all these decades, not getting the real experience of using computers but stuck just playing quietly with their toys. Stoopid loosers!
I drank what? -- Socrates
Yeah, all the malware is avoided if you don't click allow.
That's just damn funny.
There are two types of people in the world: Those who crave closure
Secure? Maybe, maybe not. Having less malware does not mean something is more secure, after all. More safe? Definitely so, since having less malware means that there is simply less danger. A walled garden in the country side is more safe but less secure than an apartment with bars over all the windows in the middle of the city, after all, and safety is what is more important overall, rather than security.
Of course, that doesn't excuse a company to fail at securing their products, just because no one has attacked them yet, but by all indications, the "security through obscurity" argument doesn't hold much water in this case, given that iPhone users are consistently shown to be disproportionately profitable to target and that they continue to sell extremely well overall (even the report you linked cites the fact that this is an expected low as part of the regular product cycle for the line and that they expect the iPhone to recapture its lost market share with the launch of the new iPhone this quarter).
Long story short, Android appears to be less secure and less safe. Which is to be expected, given the fact that developers are able to do a lot more on Android than they can on iOS, so it's not without its upsides, by any means. But that added capability (and the fact that every carrier/manufacturer makes their own tweaks that can open up vulnerabilities) comes at a price, and in this case, it's security.
Desktop publishing has used embedded, Turing-complete languages for decades -- TeX is Turing-complete, as is XSLT. It's the best and most compact way of specifying an abstract image for a generic rasterizing displays of arbitrary resolution.
Don't blame me, I voted for Baltar.
It's fixed in the current iOS 7 beta.
If you can't convince them, convict them.
Right, because having users manage their own risk profile has worked out so well in the PC/Windows world...
Indeed. Letting someone else control your computer is much safer.
Android's big problem is that you have no way of saying 'no, I'm not giving this app that permission', and can only choose to install or not install the Fluffy Kitty Screen Saver that wants access to your filesystem, the Internet, and the ability to send SMS messages.
Well that would be logical wouldn't it, given that Android is a more widely used platform. Hackers often try to get the biggest 'bang for buck' and target the most popular platforms (see also number of Windows viruses vs. Mac OS ones).
Are you claiming iOS was targeted far more than Android just 2 years ago?
Of course news about a fake are Fake News.
I think Android is targeted more because it isn't inherently tied to the Play store, and not so much because of devices not being updated. The app signature verification works for 2.3 and up, which covers 96% of Google's Android devices. Getting malware on a phone or tablet still generally requires installing a malicious app, and it's far easier to be careless about that on Android.
Agreed.
It's the same as Windows, you just target what gets you the largest return. Organised crime is a business, just like any other.
However there is still the walled garden thing, even if Apple went back up to a 50:50 market share with Android, Android would get targeted more because every Android user can choose to install any application and give that app the permission to email their bank details to Russia.
With iOS they have to wait for a good ol' fashioned buffer overflow before they can grab anything I guess.
Unless you get that with iOS too? I don't know I've never owned one.
But the 8:2 logic holds up, when the sample size it that large I'm guessing that's exactly the reason why.
Ultimately it's all moot.
If Apple had 100% of the market share this is what would happen:
The crims would send everyone sms/emails with links to pages that asked them for their passwords an X percent of users would give it to them.
No amount of security or walled gardens get around the fact most of you are really really thick.
You don't have to install Cute Kitty Wallpapers with internet, sms and bank details access.
Because that's all this "malware" is, it's not big or clever, 50% are just from the wrong side of the bell curve.
Oh, an I use Linux.
On the Desktop.
Well, I used to, because who the hell uses a desktop anymore anyway?
Have you seen this cute screensaver I found!!!
Okay, am I the only one that thinks that if you can't design something that renders text onto a screen without it turning into the Ocean's Eleven of computer security, you're doing it wrong? Be honest now guys. I can understand this in something that needs to interpret complex animations of dancing toilet paper flying across my screen screaming "Buy meeeee, pleeeeeeease!" -- I don't approve, but I can see how someone could screw it up.
But text... really guys, I mean, really?
I really get where you're coming from... However, Unicode is a PITA to implement, what with multiple glyphs for compositions / decompositions and BIDI (text direction rules) -- which change depending on paragraph direction and state machine. That's just the character encoding! To actually render the fonts there's a tiny VM that decodes the glyphs and handles sub-pixel hinting, etc. A bitmap ASCII (CP437) font? Done. I can crank one out in an hour, tops... Unicode w/ TrueType or FreeType? Ugh. I mean, just getting the character property tables from the Unicode site downloaded and transformed from CSV to the format we need is a project in of itself. The bugs in every last 3rd party library ever encountered (even libPNG), I'm hesitant to use other's code unless I have to (I have a higher standard -- input fuzzing, code coverage and unit testing for everything), but bugs in today's text rendering systems aren't just expected, they're a given -- It's literally the first thing I attack, and almost every time it works against new code: embedded invalid surrogate pairs, and over-long forms.
Ah, but everyone's doing it wrong but you? Well, let me tell ya something: If you set out to make the closest to the metal compilable language that's not ASM, it'll work just like C does (C is a product of the architecture more than anything). Same goes for making a minimal font rendering system that covers all the world's languages -- Try it, it'll end up almost exactly like TrueType & Unicode because they're products of their environment too.
Now, that's not to say I don't agree with you to some extent. I'd say humans need to ditch all the BS and start from scratch to create a language that's easy to OCR with syntax and grammar that's extensible and non ambiguous and thus interpretable by machines. Do that and "natural language processing" is a no-brainer (literally). We get away with as few as 16 glyphs for the Virgon (Galactic) language -- Designed for ease of deciphering from examples using mathematics, incrementally graduating up to a small Von Neumann "VM" and then including "instructional" programs to then teach the rest.... So, yeah, you damn dirty apes did do it wrong, but if your sunk cost fallacy doesn't keep you doing it wrong you'll be the first lifeforms in the Super Cluster to do it right before you've solved the Fermi Paradox.
You're talking out of your ass making assumptions. Unix, wether it be Linux or BSD variation, is getting more and more popular.
Sir, my grandpa lived to the age of 94, and he smoked four packs a day. Does that mean if I smoke four packs a day, I have nothing to worry about health-wise? I suppose the cognitive error you've made is clearer now. You're giving personal experience too much weight. Please show me a survey saying that, today, Linux as a desktop platform is at least half as popular as Macintosh is. The short answer is, you won't find one. At least not one that's been done properly. Saying it's "getting more and more popular" is not the same as saying it's popular now. Monacles are getting more and more popular too (steampunk cosplay)... it doesn't mean I can wander out into the street and find top hats and monacles everywhere.
#fuckbeta #iamslashdot #dicemustdie
Marketshare for IOS will probably drop, but have you seen the average IOS user's statistics versus Android and others? Have you seen how much money IOS users spend versus the rest? Which is more used by business? You may understand statistics but you're missing out on the big picture here.
This is one of many reviews. http://techland.time.com/2013/04/16/ios-vs-android/
Until someone gives us a better way I think I'll take the word of experts in the field over yours.
Obviously someone who thinks Unicode is just an extended character set. Unfortunately, it isn't, and it's why characters are referred to as "codepoints" (because you may need multiple codepoints to actually produce a character).
First comes the many ways of expressing a codepoint as a string - UTF-8, UTF-16, UTF-32 are just the most common variations (and there's also the whole big and little endian thing). And there's plenty of reasons why you'd want say, UTF-16 over UTF-8 (especially if you want to move backwards through text).
Next is to support the expressiveness, Unicode has a LOT of character modifier values - things like right-to-left override (after that character, text is forced to be printed right to left), applying diacriticals and other such embellishments on text. For one character printed, you can easily have half a dozen or more codepoints associated with it. (Note: This also makes copy and paste hard, because while the user may have only selected 1 character, that one character may have a few codepoints associated with it).
And don't forget all sorts of typography related things that need to be done - hinting/leading/kerning needs to be done in order to at least make the text presentable. It's why TeX was created - because the general state of computer generated text and typography was degrading compared to traditional manual typesetting.
About the only way to make it "easy" is to abandon Unicode for ASCII and to enforce everything to be monospaced font. Which generally makes text look ugly.
Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?
Attackers will *always* try to attack the biggest target. They are not for equal opportunity, they do not meet to work out quotas so that OSes gets attacked accordingly to their market share.
Say you joined a shooting competition: You can shoot at two targets, equal size and equal distance, no objective difference at all. Only difference is that each time you hit target A four people will give you $10 each and each time you hit target B only one person give you $10. You have 10 rounds. How do you distribute your rounds between the two targets? Do you fire 8 shots at target A and 2 shots at target B because that would be the most fair thing to do, or do you fire all 10 shots at target A?.
Maybe, just maybe, there's more to it than market share.
There might be. When you see people start taking shots at B, despite the higher reward of hitting target A, you can conclude that some factor causes them to *not* go for the higher reward. Somehow target A must have become harder to hit, the reward is going down or the shooters skills allow them to hit target B more easily.
But all other things being equal, prudent attackers who are in it for the rewards will go for the higher market share, every time.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Now, who really thinks iphone users have a net worth three times that of Android users?
That's a great question and exactly the right one to ask. As it turns out, an average iOS user is worth roughly 4-5x more than an average Android user, at least in terms of what they're willing to spend on apps, which admittedly isn't the worth that we're talking about in this context, but is about the closest indication we can get to the relative worths of users on the different platforms, absent of having data on what the street value is for a compromised device of each variety.
It's also worth pointing out that you've made the false assumption that iOS has to offer a value that's equal to or greater than Android's before iOS would be a logical target, completely dismissing the fact that the black hats may very well be interested in iOS, even if it only offered half or a quarter of the value of attacking Android, simply because there are other considerations at play (e.g. big fish in small pond, diversifying their products for more stable profit, etc.). Even if their users were equal in value and Android had 4.7x more users, that'd still mean that Apple had about 18% of the market, which is a sizable portion to target and well worth at least some of the malware developers' time. As such, you'd expect to see that they're getting hit fairly often.
Instead, that link above indicates that Android gets 79% of malware, iOS gets 0.7%, and Blackberry and Windows Phone each clock in at 0.3%, despite the fact that their market shares are even more diminutive than Apple's. And don't forget Symbian, which only had 19% of the malware, despite the fact that its installed userbase was comparable to Android's at the time that the study was conducted.
As for the rest of what I said, which you largely dismissed as irrelevant, I'll repeat some of it regarding this trend being expected, given the designs for the various OSes. Android is designed to be configurable and modifiable by manufacturers and carriers, as well as more open to developers, which naturally means that it's a harder product to secure, given that the surface area for attack is much larger and the changes that are being made are not always being as heavily scrutinized. In contrast, Apple, Microsoft, and Blackberry each only need to secure one OS that they have full control over, so it should come as no surprise that there's less malware for them, not merely because of market share, but also because of design considerations of this sort. If they didn't have disproportionately less malware, that would be an indication of a major failure on their part to secure their OS.
So, once again, your security through obscurity argument is full of holes, and there are perfectly obvious reasons for why iOS has less malware than Android. That you're ignoring them is astonishing, considering the reasons they exist in the first place are the reasons that the Android ecosystem is able to thrive.
X11. Also there's Java.
When confronted with one problem, some think "I'll use recursion". Now they are confronted with one problem.
Check out F-Droid. While they don't have nearly as much as the Google Play store, everything they do have is open source and stripped of extraneous permissions and libraries.
They've created an entire virtual machine for the sole purpose of font rendering. Doesn't that strike you as just a little bit over the top? Text is just symbols arranged on the screen -- I'm certain better ways of doing this could be imagined that wouldn't require an exploitable VM with root permissions
Spoken like someone who has never actually written code to display text. Sure, with monospaced bitmap fonts, this is an easy problem. For modern text, you start off with a set of bezier paths representing each glyph. That's fairly easy to render, and you can just start drawing each one to the right of the previous one. That will give you blurry characters with ugly spacing, but it's a start.
So how do you fix the blurriness? Now you need some hinting telling the renderer when it should try to snap lines to the nearest pixel rather than approximate it and just rely on antialiasing. Oh, and those hints have to work on every combination of point size for the font and pixel size for the display (and, ideally, for different sub-pixel layouts) and so they're heavily parameterised. Doesn't need to be quite Turing-complete yet, but you're getting very close to Lambda calculus, although you can get away without recursion.
But you still have spacing problems. Consider this trivial example: To. Now, in your naive approach, the left hand side of the o is the same distance from the right hand end of the cross-bar of the T. This distance will be the same as the distance between characters in nm. If you see this at the start of a word, like Tool, then it will look like there is more space between To than between oo or ol and that's ugly. So now you need some kerning hints that tell you how to tweak the spacing for each pair of letters, and these need to be parameterised over every pair of letters. For a simple ASCII font, that's 2^14 combinations, so you don't want to list them individually, you need to compute them.
And that's just very basic letter layout. On a typical window, you may have thousands of characters, which all need to be laid out correctly (and deterministically, so characters don't jump around on every redraw). And so this is on the fast path. Is it surprising that it ends up in the fast path?
Both Windows and *NIX have had serious exploits involving font rendering. X used to put FreeType in the X server (which ran as root), windows used to put an equivalent in the kernel. Both have resulted in vulnerabilities from documents that embed fonts. When you have something that's performance critical (slow text rendering translates to slow window updates, which directly translates to user-perceived slowness) and depends on user-provided data, it's not surprising that there are security holes. X11 now moves font rendering to the client (although, like Quartz, it composites the glyphs on the server), so a font exploit doesn't get you root, it just gets you arbitrary code execution in your current application, for example the web browser.
I am TheRaven on Soylent News
FWIW, you don't *have* to use Java for coding on Android, just like you don't have to use objc for coding on iOS.
Our game has a Java frontend (that's needed) but the game library and the libraries it bundles with (sdl, physfs, netlib), are C (or in the case of the game engine, pascal).
And ofc most of Android itself is absolutely not Java.
For UIs, you can use pretty much anything, even Javascript. They aren't really that demanding...
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'