DoS exploit crashes iOS/OSX devices using WebKit

This isn&#x27;t a bug inside WebKit. It&#x27;s a bug inside Apples CoreText font rendering framework.<p>A `curl <a href="https://zhovner.com/tmp/killwebkit.html`" rel="nofollow">https:&#x2F;&#x2F;zhovner.com&#x2F;tmp&#x2F;killwebkit.html`</a> in iTerm2 crashes as well.<p><pre><code> Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libvDSP.dylib 0x00007fff9080ead6 0x7fff907f2000 + 117462 1 com.apple.CoreText 0x00007fff8892cd5c TRun::TRun(TRun const&amp;, CFRange, TRun::SubrangingStyle) + 850 2 com.apple.CoreText 0x00007fff8892c9ee CTGlyphRun::CloneRange(CTRun const*, CFRange, TRun::SubrangingStyle) + 142 3 com.apple.CoreText 0x00007fff8893b764 TLine::SetLevelRange(CFRange, unsigned char, bool) + 162 ⋮ 8 com.googlecode.iterm2 0x000000010003ce63 -[PTYTextView(Private) drawRun:ctx:initialPoint:] + 99 9 com.googlecode.iterm2 0x000000010003d498 -[PTYTextView(Private) _drawRuns:runs:] + 344 ⋮ 41 com.googlecode.iterm2 0x0000000100001bd4 start + 52</code></pre>

Seems to be a pretty devastating problem if you send the exploit text to someone in iMessage. Makes the phone immediately crash - when the phone has been restarted and the user clicks on &quot;messages&quot;, it crashes again - I think that it&#x27;ll need a system restore &#x2F; hacking of the Messages datastore to fix.<p>Put the exploit text into the SSID for an iOS personal hotspot - crashes iOS devices when they scan for SSID&#x27;s to connect to.

Pretty interesting discovery.<p>Direct link: (WARNING THIS CAN KILL WEBKIT) <a href="https://zhovner.com/tmp/killwebkit.html" rel="nofollow">https:&#x2F;&#x2F;zhovner.com&#x2F;tmp&#x2F;killwebkit.html</a>

I don&#x27;t know why, but I realized that CoreText is crashing with this combination of three Unicode characters<p><a href="http://tny.cz/87a09a7c" rel="nofollow">http:&#x2F;&#x2F;tny.cz&#x2F;87a09a7c</a>

Anyone know what Apple&#x27;s timeline on patches for bugs like this are? TFA says that they&#x27;ve known about this for 6 months now.

There was something similar earlier this year with typing &#x27;File:&#x2F;&#x2F;&#x2F;&#x27; in a OSX text field.<p><a href="http://thenextweb.com/shareables/2013/02/02/typing-these-eight-characters-will-crash-almost-any-application-on-your-mac/" rel="nofollow">http:&#x2F;&#x2F;thenextweb.com&#x2F;shareables&#x2F;2013&#x2F;02&#x2F;02&#x2F;typing-these-eig...</a>

I remember back in the day when you could send &amp;#770; to people on AIM and crash their AIM clients.

My Chrome (in OSX) tab crashes even scrolling past half-way in this comments thread. Doesn&#x27;t happen in other comment threads or in Safari or Firefox. Any idea why?<p>I use the HN comment collapse extension plus AdBlock, Ghostery, etc. Some sort of link pre-fetching I&#x27;m not aware of?

I&#x27;ve been looking at the stack trace in gdb a bit. And it seems that inside CoreText TStorageRange::SetStorageSubRange calls<p><pre><code> void vDSP_sveD(double *__vDSP_A, vDSP_Stride __vDSP_I, double *__vDSP_C, vDSP_Length __vDSP_N) </code></pre> with a negative length argument.

&gt; Since Apple doesn&#x27;t show any reaction for about half a year.<p>Why is this happening?

People should put this link in the Apple Crash Report as proof.

On my iPad and I can only read half the comments here, then Safari exits: looks like jmuguy rather unhelpfully posted the characters in question.

This seems to be a kind of bug that would be found by fuzz testing. Is apple not using fuzz testing, or what&#x27;s going on?

Works pretty good, LOL. I hope it gets fixed ASAP. You can try it out and report via the browser feedback information.

Annone testen what happens when you use it as a computername? Could be a problem as well, since machines with fileshares are listed in the finders sidebar. When the SSID already produces such a screwup, that would be even worst.

Works when being e-mailed to an apple phone also. Especially if you&#x27;re using and ActiveSync enabled account. It will immediately crash the mail app until that e-mail message is deleted from another client.

Fixed in Mavericks and iOS7 apparently. So a fix is probably coming soon.

This crash any app. Try to paste this Unicode combination into any text field and you&#x27;ll get a crash. <a href="http://tny.cz/1a56d253" rel="nofollow">http:&#x2F;&#x2F;tny.cz&#x2F;1a56d253</a>

Does not crash Safari 6.0.4 (7536.29.13) on OSX 10.7.5 for me.

I&#x27;m really resisting sending this to my coworkers. Works via email as well, you can just turn Mail sync off and back on for the account to fix (on iOS)

Does this also affect iOS 5 and lower? That would be really annoying, as devices stuck on that version aren&#x27;t receiving updates anymore...

Here&#x27;s another: <a href="http://rpetri.ch/crash/" rel="nofollow">http:&#x2F;&#x2F;rpetri.ch&#x2F;crash&#x2F;</a>

same with<p><pre><code> $ python -c &quot;u&#x27;\u0647\u0020\u0488\u0488\u0488&#x27; </code></pre> source: <a href="https://twitter.com/nst021/status/316124758469120000" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;nst021&#x2F;status&#x2F;316124758469120000</a>

Just tested on iOS 7 Safari on a gen3 iPad... The font looks great!

CVE # on this?

HOW DO I FIX THIS.

iOS is the only platform where I don&#x27;t support full disclosure, or for that matter, any disclosure. It looks doubtful that this bug would be able to be used in a jailbreak anyway, but it&#x27;s certain that Apple will patch it once it&#x27;s known (and especially if it could be used to jailbreak).