A texting bug that leaves no Apple product safe—it crashes iPhones, Apple Watch, iPads and Macs—has now gone on to terrorize Twitter and Snapchat.
The “text of death” problem lies in a software flaw in Apple’s core text-processing system (appropriately dubbed “CoreText”), which is common to all Apple devices. When presented with non-Latin characters in a specific sequence—especially those from Arabic, Chinese and Marathi—the processor essentially pulls a “does not compute” and shuts down, crashing the system.
What that means is that it’s possible to send booby-trapped messages to Apple gear with the express purpose of DoSing them. And now, enterprising nefarious types have figured out that those same messages can be sent via Twitter and Snapchat.
F-Secure researcher Mikko Hypponen told the Guardian that iPhone users that have Twitter notifications turned on are vulnerable to both public mentions and direct messages that contain a crashing sequence—any time an offending character string arrives at the phone, even via an app notification, CoreText is tasked with handling it and can thus be affected.
The story is similar for Snapchat: Users that open a message with the offending characters will find their phones crashed. It’s a lock-out issue too: Users can’t open the chat history with the person who sent the offending message without crashing their iPhone, so there’s no easy way to get in and delete the message.
Apple told the Guardian that it’s prepping a software update to fix the problem—but that update so far has not appeared. There are, however, workarounds: Apple said that using non-text-based communications, like using Siri to reply to a message or sending the contact a photo, will allow users to access and delete the offending conversation. Twitter users should also disable notifications.
The bug is worrisome but not as destructive as it could be, one researcher explained. “[This] bug isn't the first text-processing DoS bug to hit Apple devices; there was the ‘Unicode of Death’ bug back in the summer of 2013 that had a similar effect,” Rapid7’s security engineering manager, Tod Beardsley, told Infosecurity. “That denial of service earned a swift fix from Apple at the time, due to it being quite reliable. This new issue is less effective, in that it often requires several attempts, and Apple has published a workaround, so this situation isn't as dire as the last.”
He added, “Unicode processing bugs are nearly always caused by buffer overflows, but this issue doesn't look exploitable beyond merely crashing the target device.”