
Major new iOS bug can crash iPhones and disable access to apps and iMessages - denzil_correa
https://www.theverge.com/2018/2/15/17015654/apple-iphone-crash-ios-11-bug-imessage
======
taylodl
What Apple, and Microsoft before them, are discovering is the tools and
processes we use to create software simply doesn't scale. We're simply
reaching the limits of what these giant software teams are able to produce and
keep running. We can discuss solutions, but currently not everybody even
agrees we have a problem. That's the first step we need to take.

~~~
13of40
I disagree that this is the product of scale. Looking at some of the bugs
coming out of Apple lately and how they respond to them (assuming it's really
a trend and not just a run of bad luck) it feels like they're slipping into a
culture where individual feature teams are making emotional or schedule-based
decisions about security without central guidance. A good example is the
recent bug on MacOS where a low-privileged user could kill other users'
processes and reboot the machine, but allegedly this wasn't considered a
security problem. It doesn't seem like they have a core part of their
organization that drives security practices and knows how to triage and give
guidance on these issues, because if the bug had been escalated to a group
like that, it would certainly have gotten some traction. It would be nice to
hear an insider's take on it...

~~~
TheSpiceIsLife
Within the context of the previous comment, this is a great comment.

I read it six times in rapid succession and it keeps flipping between being a
supporting arguement _for_ and _against_ the parent comment.

~~~
softawre
I like to call that a blue/white rebuttal

~~~
TheSpiceIsLife
Is this a reference to something I'm not familiar with?

~~~
mrlyc
It's probably a reference to the debate on Reddit about whether a dress
([http://i.imgur.com/9VWYggm.jpg](http://i.imgur.com/9VWYggm.jpg)) was black
and blue or white and gold.

------
kens
What's the Unicode codepoint of the character? Is it a single Unicode
codepoint or multiple? (I tried to search for info on the web, but Chrome kept
crashing.)

Supposedly it's a normal Telugu character, but how could that have gotten past
even minimal testing in Hyderabad? Or is it some strange combining corner
case? Telugu script is kind of unusual in Unicode, since it is syllabic but
has separate codepoints for vowels and consonants, so character rendering is
done by combining a vowel and consonant character into a totally different
character. (Apologies for probably oversimplifying and mangling that
explanation.) This is unlike Japanese katakana and hiragana, which have
separate Unicode code points for each syllable so rendering is
straightforward.

[https://en.wikipedia.org/wiki/Telugu_script](https://en.wikipedia.org/wiki/Telugu_script)

~~~
esnard
Multiple codepoints.

U+0C1C U+0C4D U+0C1E U+200C U+0C3E

~~~
kens
So: "JA" "VIRAMA" "NYA" "ZERO-WIDTH NON-JOINER" "VOWEL AA"

That looks like a non-trivial character. I wonder how many other crashing
characters can be generated from this pattern.

JA is a consonant, VIRAMA indicates a lack of vowel, NYA is another consonant,
and it's non-joined(?) with the vowel AA. Can a Telugu speaker explain what
that's supposed to do?

~~~
Manishearth
Approximately a couple thousand.

It happens for Telugu, Devanagari, and Bengali, for pretty much any (C,C,V)
choice in Telugu, for any (C,C,V) choice in Devanagari where the second
consonant is 'ra', and any such choice in Telugu where the second consonant is
'ra' or 'ya'. Some vowels don't work.

<consonant, virama, consonant> usually forms a ligature in most indic scripts.
_usually_ , that ligature is formed by munging the first consonant and tacking
it on to the second.

However, in Telugu, it works the other way around -- the first consonant stays
the same, but the second consonant is munged and placed below it. As a result,
many forms render <virama, consonant> as a sort of "composite combining
character", with a placeholder for where the first consonant goes, and the
second consonant below it.

In Devanagari, the 'ra' consonant also does this, and 'ra' and 'ya' in Telugu.

This also happens for all Kannada consonants, but I can't trigger the bug with
Kannada.

ZWNJ isn't really specified for Devanagari or Telugu; it can both make the
vowel render separately or do nothing. In Bengali for some vowels it changes
their form; however this bug occurs for more than just those vowels.

------
Cknight70
Here's a link to the character if someone wants to test it themselves
[https://pastebin.com/9Tr8ytTr](https://pastebin.com/9Tr8ytTr)

~~~
RandallBrown
Wow, that even crashes Safari on my Mac.

~~~
akvadrako
And if it get's in your history, it'll crash every time the character shows up
again. I ended up having to delete the entry manually:

    
    
      $ sqlite3 ~/Library/Safari/History.db
      SQLite version 3.19.3 2017-06-27 16:40:08
      Enter ".help" for usage hints.
      sqlite> delete from history_items where url = "https://pastebin.com/9Tr8ytTr";

~~~
talson
Thanks!

------
TazeTSchnitzel
This isn't the first time a weird sequence of Unicode characters has caused
the text renderer to crash and create problems for iOS users.

This is why we shouldn't be writing new code in C.

~~~
nebula
I checked the character, it is anything but weird. It is a valid character in
a language used by millions of people. For those curious: It is a Telugu
character; Telugu is one of several widely spoken languages in India.

~~~
reaperducer
I guess it depends on your definition of "widely spoken."

According to Wikipedia, the number of people speaking Telugu is 0.97% of the
world. It's not even a statistical margin of error.

Still, how hard can it be to have a machine step through all of the possible
combinations of every iOS-supported character set and jam them into iMessage
to see if they're failsafe?

[1]:
[https://en.wikipedia.org/wiki/Telugu_language](https://en.wikipedia.org/wiki/Telugu_language)

~~~
lostmsu
1%? Are you kidding? That's over 70 million. It's on the order of population
of Germany, and 10 times more, than Swedes.

~~~
bluntfang
i think the metric isn't the right one. 1% is a small user base, but of that
1% how many of them have access to iphones?

------
hello_asdf
I've never done any fuzzing personally, but wouldn't this be discoverable
internally during testing?

I would think that they would attempt sending all possible characters,
especially because they've had issues with this in the past.

~~~
jmull
Well of course they _could_ have done that.

To be honest, though, if someone on my team suggested we implement an
automated test that tries sending every Unicode character (and it would be
applied to every interface of every app and API, right?) I would have objected
that this was an over-complicated, over-engineered solution that will probably
be too slow.

I'd argue that a set of test data selected to cover a range of patterns,
especially ones that are considered risky (either is know to have caused
problems in the past or appear complicated or tricky) would have almost as
good coverage and be an order of magnitude more useful.

The problem with "run-every-case" tests is that they start off slow and get
exponentially slower if you try to go deep you very quickly end up with tests
that take too long to run to be useful. (e.g., {every Unicode character} is
one thing... {Every Unicode character} X {every interface and app} is a LOT
more. {Every Unicode character} X {every interface and app} X {every build} X
{every device model} X etc. is impossible). So you end up with very broad but
very shallow tests. And that means _less_ coverage ultimately, not more.

Generally, I think you'll get more efficient, effective, useful tests if you
tailor the test data sets to the problems you see rather than going for
blanket coverage.

~~~
wvenable
Since this affects a huge number of applications and even desktop
applications, it's a low-level library that is causing the problem. I'm not
sure it's unreasonable to test every unicode codepoint against shared library
if that library is responsible for the rendering of unicode text.

But I agree it would be unreasonable to do that for every app that uses the
library.

~~~
jmull
You have a point. It's probably not unreasonable to test every Unicode
codepoint against a low-level shared library, at least for APIs that process a
single codepoint.

I don't think it's a no-brainer though.

And it _is_ unreasonable to expect a testing technique to be applied in every
case where it is reasonable to do so. There are a lot of techniques that are
reasonable to use in any give case but it would be no sense at all to apply
every one of them. To focus on this one, now, amounts to Monday morning
quarterbacking. Once you know the bug it's easy to see how it could have been
caught. Of course if you somehow knew of a bug ahead of time you wouldn't need
any test at all!

~~~
wvenable
Yeah, I don't disagree. Arguing this would caught by better testing is close
to implying that _all_ software bugs are avoidable; we simply have to test
"better" until there are no bugs ever.

------
ce4
Here is the original report:

[https://openradar.appspot.com/radar?id=4987859723354112](https://openradar.appspot.com/radar?id=4987859723354112)

Edit: Saw that link two days ago already, but just noticed that it's also
mentioned in the article.

------
kumarm
Wow its just unicode character in a language spoken by just 75Million people
[https://en.wikipedia.org/wiki/Telugu_language](https://en.wikipedia.org/wiki/Telugu_language)

~~~
Manishearth
Not technically correct; <consonant, virama, consonant, zwnj, vowel> is not a
sequence you'd see in actual Telugu text (zwnj doesn't do anything for
telugu).

However, there are similar test cases for Bengali, and ZWNJ _does_ have an
effect on some Bengali vowels, so it's definitely a real world character in
that case.

------
echohack4
For those you looking to test this out yourself, I have a python script that
could be helpful in pulling iMessages off your iPhone backup (assuming because
it might be difficult to access them if the application is in a crash loop).

[https://github.com/echohack/iphone_messages_dump](https://github.com/echohack/iphone_messages_dump)

------
Shoothe
I wonder how many more of this flops will it take for some security experts to
stop recommending iPhone over Android...

~~~
jackson1way
weird unicode text can crash your imessages - sucks.

90% of android phones not having any recent updates - big deal. [0]

[0] [https://www.sammobile.com/news/samsung-stops-
galaxy-s8-andro...](https://www.sammobile.com/news/samsung-stops-
galaxy-s8-android-8-0-release-new-version-being-developed/)

~~~
Shoothe
I don't see any evidence in the link you posted.

And it's interesting that you bring Samsung that for 3 years issued patches
every single month for my old Note 4. You may not get latest and greatest
Android version immediately (missing the essential "hamburger emoji fix") but
you'll still get security updates.

------
jedisct1
Does anybody know how to get out of the respring/reboot loop without
reinstalling everything in DFU?

~~~
TBastiani
My friend managed to upgrade to 11.3 beta without restoring.

(Very bad joke on my part)

EDIT: apparently he did go into recovery but didn't lose his files.

He says you have to go in DFU, press shift and click on update then select the
file for the 11.3 beta upgrade.

------
jacksmith21006
What is up with Apple quality of late?

------
valuearb
Are Emoji the new buffer overflow?

