It's a bug inside Apples CoreText font rendering framework
So that means anywhere the string could appear, the application that has CoreText render the string crashes? Makes me wonder if it'd work by just broadcasting the string as an SSID and wait for someone to look up available networks, or sending text files to bluetooth devices with an Apple mac address. That would be cool, on a bus, in a crowded city, during rush hour.
Seems to be a pretty devastating problem if you send the exploit text to someone in iMessage. Makes the phone immediately crash - when the phone has been restarted and the user clicks on "messages", it crashes again - I think that it'll need a system restore / hacking of the Messages datastore to fix.
Put the exploit text into the SSID for an iOS personal hotspot - crashes iOS devices when they scan for SSID's to connect to.
Actually, just by the attacker sending a long enough text message to push the attack off the screen - which you can do yourself by sending a long text message to yourself from another phone, then forwarding that message to the attacker.
We do use Core Text in Firefox on OS X, although not for all parts of text layout/rendering nowadays, AIUI. We're using Harfbuzz for some text shaping, so it's possible we're not using the particular Core Text APIs that hit this bug.
Usually this sort of bug would fall under "next point release". No privilege escalation, no potential for leaking private data - i.e., no giant legal/PR disaster waiting to happen means they will likely defer a patch until the next scheduled point release.
My Chrome (in OSX) tab crashes even scrolling past half-way in this comments thread. Doesn't happen in other comment threads or in Safari or Firefox. Any idea why?
I use the HN comment collapse extension plus AdBlock, Ghostery, etc. Some sort of link pre-fetching I'm not aware of?
AFAIU, the length is negative but it is then treated as an unsigned integer by vDSP_sveD. So the function iterates over the given vector until there is a memory exception (As the length is very close to to UINT_MAX). It doesn't look very exploitable to me but it is surely annoying. I've found it a bit odd that neither TStorageRange::SetStorageSubRange nor vDSP_sveD do any kind of sanity checks for the values they calculate or which are passed to them.
Unlikely. iOS7 and 10.9 use TextKit which wraps CoreText and in turn they have dramatically enhanced CoreText in the process. The code is unlikely to be compatible. It will likely require a patch for the older code.
Security relevant crash bugs are normally back ported. In any case, TextKit is just a wrapper of CoreText (like you said) for easier use within AppKit/UIKit — all the text handling is still done by CoreText.
Ummm, I wouldn't install it on a computer that you want to use for general computer usage. As a general rule, I advise people to wait until at least the .1 release, if not the .2 release for each new version. So using the beta is definitely a no-no, unless you actually need the beta, for testing your application against.
Otherwise you can find pretty big things not working - printing, might not work on one release, or bluetooth preferences might not open on another, or Airplay video streaming might not work. You may have graphics glitches, or a run away process that kills battery life. It's simply not worth the pain if you don\t really need it, but if you do really need it, the pain is bareable if you grit your teeth.
Annone testen what happens when you use it as a computername? Could be a problem as well, since machines with fileshares are listed in the finders sidebar. When the SSID already produces such a screwup, that would be even worst.
Works when being e-mailed to an apple phone also. Especially if you're using and ActiveSync enabled account. It will immediately crash the mail app until that e-mail message is deleted from another client.
Wow this actually crashes the entire Chrome browser on Mac OSX. This is the only one that fully crashes the browser instead of just the tab. The weird thing is, though, you need to copy paste it for it to crash not just view it. Weird huh
I'm really resisting sending this to my coworkers. Works via email as well, you can just turn Mail sync off and back on for the account to fix (on iOS)
iOS is the only platform where I don't support full disclosure, or for that matter, any disclosure. It looks doubtful that this bug would be able to be used in a jailbreak anyway, but it's certain that Apple will patch it once it's known (and especially if it could be used to jailbreak).
A `curl https://zhovner.com/tmp/killwebkit.html` in iTerm2 crashes as well.