Slashdot Mirror

← Back to Stories (view on slashdot.org)

CoreText Font Rendering Bug Leads To iOS, OS X Exploit

Posted by timothy on from the click-carefully dept.

redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."

6 of 178 comments (clear)

  1. Character-based displays FTW! by sootman · · Score: 5, Funny

    I am totally safe.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  2. Re:Who says? by larry+bagina · · Score: 5, Informative

    The Department of Homeland Security and FBI.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  3. Here's a link to the crasher string in question by Anonymous Coward · · Score: 5, Informative

    Here's a link to the crasher string in question:

    http://pastebin.com/kDhu72fh

    (warning: will crash Safari on OS X 10.8. Firefox doesn't crash.)

  4. Re:Le sigh. by Derek+Pomery · · Score: 5, Informative

    Did you know that TTF fonts are turing complete?
    http://en.wikipedia.org/wiki/True_Type_Font#Hinting_language

    "It really worries me that the FreeType font library is now being made to accept untrusted content from the web.

    The library probably wasnâ(TM)t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and itâ(TM)s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.

    It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C⦠The code is extremely hairy and hard to review, especially for the VM."

    http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/

    --
    -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  5. Good thing Slashdot doesn't support Unicode! by Anonymous Coward · · Score: 5, Funny

    Otherwise someone would post it in the comments here and crash iPhone users' browser!

  6. Re:iOS doesn't have exploits by gnasher719 · · Score: 5, Informative

    I thought Apple added address space randomization back in Leopard? What happened?

    The problem that was reported leads to a crash. A crash is _safe_. An attacker can't gain any advantage by crashing your computer. They can merely annoy you.

    Address Space Randomization cannot prevent crashes. Its purpose is to prevent crashes being turned into exploits. An attacker does two things: Find a way to make your software fail, then find a way to turn that failure into an advantage for the attacker. The second part is where Address Space Randomization comes in. The next step is Sandboxing, where even if the attacker finds a way past ASR and takes over your code, your code would be in a sandbox and can't do any harm outside.