
'Text bomb' is latest Apple bug - HarveyKandola
http://www.bbc.com/news/technology-42728336
======
rspeer
Anyone got any information on how the text rendering bug actually works (not
just hand-waving it away as "oh it's UTF-8")?

I can see that the file alternates between segments of:

\- Repetitions of the glyph "t̴́̍̒", which is a lowercase t with a combining
tilde overlay, an acute accent, a vertical line above, and a turned comma
above

\- Random-looking ASCII characters with lots of apostrophes (spelled as &#39;
in the HTML)

\- Short sequences of spaces, non-breaking spaces, and zero-width joiners

\- Occasional emoji

The "t̴́̍̒"s manage to slow down my terminal and glitch its rendering a bit.
Is it that they're unexpectedly tall? But we've had zalgo-text for a while and
it hasn't actually crashed devices.

~~~
boombip
I find it unexpectedly hilarious that we now have issues that cannot be fully
described without running the risk of crashing our machines. Its as if there
are certain unholy words that could cause us to faint if we were to utter
them.

~~~
yesenadam
Sounds right out of _Gödel, Escher, Bach_ :

 _Achilles_ : I see the dilemma now. If any record player—say Record Player
X—is sufficiently high-fidelity, then when it attempts to play the song "I
Cannot Be Played on Record Player X", it will create just those vibrations
which cause it to break...So it fails to be Perfect. And yet, the only way to
get around that trickery, namely for Record Player X to be of lower fidelity,
even more directly ensures that it is not Perfect. It seems that every record
player is vulnerable to one or the other of those frailties, and hence all
record players are defective. (p77)

~~~
rspeer
Similarly (and also featured in a Hofstadter book), there's the short story
"The Riddle of the Universe and Its Solution" by Christopher Cherniak.
[https://en.wikipedia.org/wiki/The_Riddle_of_the_Universe_and...](https://en.wikipedia.org/wiki/The_Riddle_of_the_Universe_and_Its_Solution)

I don't think anyone ever intended for text rendering to be a "sufficiently
powerful formal system" like second-order logic, number theory, or like
Hofstadter says the human brain is. I would hope that, in the absence of bugs,
rendering text X on computer system Y would be a plain old computable
function.

------
Orangeair
Come to think of it, I believe I've heard of multiple "making the device
render this text causes a crash" bugs for Apple devices, but never on any
other platforms. Is this type of bug just that much more common on Apple
devices, or are there plenty of other cases out there that I just don't know
about?

~~~
dspillett
_> but never on any other platforms_

There have been numerous crash-bugs for the Windows font renderer, and even
security exploits using it (especially before windows 10, as earlier than that
font rendering was performed in the kernel's space rather than user-land). I
wouldn't be surprised to learn of issues (at least of the falling over
variety) in common Linux rendering engines and for other OSs too.

~~~
kevin_thibedeau
The Windows bugs are usually tied into executing TTF hint bytecode which is
ignored by Freetype.

~~~
skymt
FreeType used to ignore TrueType hint bytecode to avoid infringing on related
patents, but those patents expired in 2010 and FreeType's interpreter is now
enabled by default.

[http://freetype.sourceforge.net/patents.html](http://freetype.sourceforge.net/patents.html)

------
devit
Based on a web search,
[https://bogdanz.me/work/diddu.html](https://bogdanz.me/work/diddu.html) might
be a working mirror of the proof of concept.

It appears to contain a 10MB long UTF-8 mess in both the og:title meta content
and in a mailto: link.

I'd guess it's supposed to crash iOS apps by either posting that link if it
displays links in a thumbnail element using og:title or otherwise by pasting
the huge mailto link contained in the webpage, or perhaps only the e-mail
address.

~~~
Someone1234
That site caused Firefox 57 (64bit) to lock up on Windows 10...

It is an i7, 16 GB total (7 GB free), and an SSD.

~~~
testplzignore
Same for me, except on Windows 7. CPU spiked to 100% and I warmed up my hands
with the extra heat :). Closing the tab and waiting a minute or so (the usual
thing I do for cpu/memory intensive pages like this) didn't work. I had to
completely restart Firefox to get it back to normal.

------
menacingly
The linked blog assures people that this can't be used to access data. Once
something is crashing an app/OS, can you really say that? I mean, can you be
sure there's no one clever enough to capitalize on the underlying software
error leading to this state?

~~~
1123581321
That would be a general issue with app crashing, and a huge deal worth it’s
own series of articles. iOS’ sandboxing makes it so unlikely this exists, it’s
not worth mentioning and the sensational writing might be counterproductive to
getting the actual issue fixed. To use an analogy, it’d be like mentioning
that someone could hack Google in an article about Gmail downtime.

~~~
menacingly
I see your point, but I actually think users should be _more_ alarmed when an
input makes software crash, for just this reason. They tend to think of it as
a harmless annoyance.

Also, while sandboxing may be designed to prevent this, Messages is probably
also designed not to crash on link sharing.

~~~
qubex
There's far more risk in software _not_ crashing when it gets malformed or
otherwise unexpected input. If an application crashes, it's memory space has
been relinquished and its execution process aborted. Yes, something could've
been spawned, but... in general crashing when something unexpected comes up is
more sensible, desirable behaviour.

(Or am I wrong? I'm not a professional programmer. I'm just reasoning from
common sense.)

~~~
AgentME
The bug causing this crash might be exploitable. Think of a classic buffer
overflow: if you overflow a buffer with all zeroes or random data, then the
return address most likely gets overwritten with garbage that doesn't point to
valid code or a mapped address and the process crashes. But if the attacker
specially chose the data they put in the buffer, then they could choose to
overwrite the return address with a valid memory address and make the process
execute the attacker's own code.

If software written in C/C++ crashes and it's not because of a null pointer
dereference specifically, then it's realistic to worry about whether it might
be because of an exploitable bug (like a buffer overflow, a double-free, etc).
One common way for people to try to find exploitable bugs is to script a
program to re-run with random input data to figure out which inputs crash it,
and then they debug the crashes to see if they're caused by exploitable bugs.

~~~
qubex
Yes I wrote a fuzzer once and was one of the guys that independently
discovered the ancient NT 4.0 SP6 ”named pipe” vulnerability. I just tend to
think that crashing on unexpected stuff is more sensible than any alternative
(a kind of deny-by-default).

~~~
Someone
yes, it is, but I think you’ll agree that, without knowing what particularly
defines the unexpected it is hard to tell whether it really is crashing on
_all_ unexpected stuff or crashing on _most_ , and running the attacker’s code
on other.

That’s what should make people worried a bit.

As to fuzzing: given the complexity of the code and the frequency at which
bugs are found, I would expect Apple to fuzz their font rendering code 24/7\.
Do bugs still surface because there are that many, because the whole rendering
engine changes that often, because of compiler bugs that do not show up in
instrumented code, or because they don’t fuzz it themselves that well?

------
hotpxl
\- Mr Masri said he "always reports bugs" before releasing them.

Well I don't think Apple really reads bug reports.

~~~
FPGAhacker
They do if you file them at radar.apple.com. I've had back and forths with
them on some video card performance issues after sleep after filing a report
there.

~~~
Someone1234
What is that site? I have a working Apple ID and it won't even let me sign in.

~~~
teej
Radar is Apple’s internal bug tracking system. Outsiders have limited access
to it. I believe bugreport.apple.com is the path for submitting bugs as an
external developer.

~~~
madeofpalk
Do any outsiders have access to radar itself? As a developer, when I log into
radar.apple.com I'm redirected to bugreport.apple.com

------
alwillis
Fixed in the latest beta: [https://www.macrumors.com/2018/01/17/apple-seeds-
ios-11-2-5-...](https://www.macrumors.com/2018/01/17/apple-seeds-
ios-11-2-5-beta-6-to-developers/)

~~~
gondo
and yet again they don't care about older iOS versions for people who don't
want to brick their phones with updates

~~~
madeofpalk
How do you update software without updating it? I'm literally at a loss with
how you would like them to resolve it if you don't want to install updates.

~~~
ClassyJacket
I think what they're getting at it, release an iOS 10.3.4 or whatever so that
people who don't want iOS 11 can still avoid this bug. They did this once
before, around iOS 6 I believe, when the security certificate for Facetime ran
out.

And it's understandable. iOS 11 made my iPhone 7 - the newest one at the time
- so unusable I sold it and got a different phone. It went from a good, snappy
phone, to a slow mess that took seconds more to open or switch apps, crashed
all the time, had UI glitches all over the place, and was so slow it couldn't
play _locally downloaded audio_ without stuttering and slowing down. Ew.

~~~
brokenmachine
This really shits me about updates to phones and other devices like my TV.

I always cringe a bit when there's an update because the companies never
provide any way to downgrade if you're not happy after.

It's not only Apple responsible, I wish there was some kind of consumer
protections.

There should always be a way for a consumer to get a product back to the state
is was at the time of purchase.

------
jakobegger
So a crashing bug in the text rendering framework is now worth an article in
major publications?

I stumbled over two or three of them in the last couple of years while
debugging crash reports sent in by customers.

Seems that text rendering is hard. Maybe fuzzing CoreText would be a
worthwhile target to discover vulnerabilities?

~~~
zackify
My iPhone X wont even open imessages after trying to delete two texts with
this message, i would say its a pretty big problem

~~~
maxmcd
I believe the solution present on this linked page will help you:
[https://www.vincedes3.com/save.html](https://www.vincedes3.com/save.html)

Opens imessage again with a message draft so that you can delete the
conversation without fetching the linked bug

~~~
a_t48
Warning - this link has dozens of not work appropriate ads on it now.

~~~
maxmcd
Agh, apologies, missed those with my adblocker

------
SurrealSoul
There was an issue a few years ago where you could send a UTF-8 code to crash
whatever app was currently open on an iPhone. I guess this might be the same
issue but slightly different?

------
w0rd-driven
This again? It's eerily similar to
[https://m.huffpost.com/us/entry/7452324](https://m.huffpost.com/us/entry/7452324)
(sorry for the mobile link). Only one other comment mentions the bug from 2015
that surprise, crashes the phone in the same way. It looks like this person
just worked around the patch to cause it again.

------
matt-attack
I've noticed that iOS will only perform requests to links in iMessage if and
only if the sender is in your contacts. If an unknown sender iMessages you a
URL, iOS will _not_ perform a request.

------
omarforgotpwd
Not making any sort of comment on this issue or Apple, but I’m sure glad every
bug I write isn’t covered in the news.

------
jdlyga
Sounds like AOL punters. Fate X anyone?

~~~
srphm
Right? I remember spamming people with h1 tags, then seeing them go offline.
Welp, was fun for 5 minutes.

~~~
rmrfrmrf
AOL sent my dad an e-mail :(

------
LocalH
Considering that this text causes issues on other platforms than just Apple
(with differing levels of severity), I would posit that it's unfair to
characterize this as an "Apple bug".

------
mixmastamyk
Their lock screen crashing bug from iOS 11 that was fixed with 11.1 came back
with 11.2 and I want to throw the thing out the window. Every time I hit the
power button it crashes and have to type out the pin.

~~~
menacingly
I still have the issue where if I access the camera from the lock screen it
randomly renders my phone unlockable

------
NedIsakoff
Anyone have the clode?

~~~
Kikawala
[https://mega.nz/#!X4piUYwA!zXH1vCliaO00V2v2554vegCnXzQ69jdAX...](https://mega.nz/#!X4piUYwA!zXH1vCliaO00V2v2554vegCnXzQ69jdAXS5sUMmyFvU)

11.7MB HTML file. It crashes the tab in Chrome 65.0.3324.2 64-bit and locks up
Firefox 58.0 64-bit on Windows for me.

~~~
Y_Y
Works on my ff 58.0b16 win10 64bit

~~~
Kikawala
I tried to repeat the test in FF and you're right, it does not lock it up, but
once I click in the black area of the page, it becomes unresponsive.

------
sigjuice
Where is my textbombattack.com website and cute logo?

------
herodotus
So shipping software has an obscure bug that can cause a crash. Why is this
news?

~~~
lisper
Because Apple once prided itself as a company that made computers that "just
worked".

~~~
lostlogin
I like how you wrote all that in the past tense.

~~~
lisper
If the shoe fits... :-(

------
platz
Apple products don't have malware

