Maybe you might have been surprised by apps in your iPhone suddenly crashing, or even worse, not nopening anymore!
What happens is that a very cool russian hacker group decided to release on the internet a bug that they found out, a few days before the probable release date for iOS7, september 10th, so that some notionless guys can play with it.
- Link to the original post: http://habrahabr.ru/post/191654/
- Link to the Proof of Concept (do not open if on iOS 6 or Mac OSX mountain lion): https://zhovner.com/tmp/killwebkit.html
What they found out was a sequence of special arabic characters, that applied together with a character that glues the text together and another that inverses it, they can cause a WebKit crash, what means that any app that tries to show this text instantly crashes.
According to the news, Apple had been warned about this bug 6 months ago, what makes it a huge slip on their part not to fix it, after all the iOS 6.1.4 came just to correct a little bug in the lockscreen, but this bug has been published on youtube, instead of quietly warned to them.
Here in Brazil, Cid, a blogger for naosalvo blog did a favor to humanity by posting this code on his twitter calling out for Android users to bomb their iPhone friends with this code in whatever network possible.
link of the calling: http://www.naosalvo.com.br/desafio-aceito-o-crash-instantaneo-do-ios/#
Cids calling had an amazing repercursion, with people threatening him, and religious guys saying that he has some pact with the demon, also he got lots of publishing in great newspapers here.
For instance, when this special text is sent via whatsapp, since it appears in the notification area it crashes the springboard immediately (iPhones desktop), and now every time you need to open whatsapp it is going to crash because it will try to show the text, how Nice!
In order to save yourself from this it is necessary to reinstall whatsapp so you can erase your history, according to my cousin Lars he was able to recover part of his history by sending whatsapp data into the iCloud and restoring it afterwards.
In iPhone messages this is even worse, you have to kindly ask your attacker to send another harmless message so you can delete the conversation, or send yourself 50 messages, what will push the history away from the screen.
Now to the technical part, if you are afraid of it you may exit now
I decided to spend some time looking at the crash logs and trying to find out what causes this crash, in my opinion, what have been noticed throughout the internet is wrong! This is not caused by coretext, and I can explain why, take a look at this log from my whatsapp:
Exception Type: EXC_CRASH (SIGSEGV)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Crashed Thread: 1
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0:
0 WebCore 0x37c298fc 0x379a7000 + 2631932
1 WebCore 0x37c2690a 0x379a7000 + 2619658
2 WebCore 0x37c267be 0x379a7000 + 2619326
3 WebCore 0x37c2a93c 0x379a7000 + 2636092
4 WebCore 0x37c2a810 0x379a7000 + 2635792
5 WebCore 0x379ac7c4 0x379a7000 + 22468
6 WebCore 0x37dd1e98 0x379a7000 + 4370072
7 WebKit 0x382dab84 0x382d7000 + 15236
8 WebKit 0x382da5c0 0x382d7000 + 13760
9 WebKit 0x382da2ec 0x382d7000 + 13036
10 WebKit 0x382da28a 0x382d7000 + 12938
11 WebKit 0x382da22a 0x382d7000 + 12842
12 UIKit 0x33875964 0x33866000 + 63844
13 UIKit 0x338758a0 0x33866000 + 63648
14 UIKit 0x338b1328 0x33866000 + 308008
15 UIKit 0x33874c52 0x33866000 + 60498
16 UIKit 0x33873a1e 0x33866000 + 55838
17 UIKit 0x33873858 0x33866000 + 55384
18 UIKit 0x33872d18 0x33866000 + 52504
It seems clear to me that this crash came from the WebKit instead of the CoreText as people have been saying (I know why, one says and others that do not understand publish)
Come on think with me here, WebKit is open source, the guy can read the code there until he finds the flaw, but in CoreText the guy has to debug assembler shit in order to find a bug, what seems to you the way they found it?!?
I was able to trace the bug to this file in WebKit:
Specifically this function:
adjustGlyphsAndAdvances()
It is possibly already fixed in this recent version of WebKit, because both iOS7 and OSX Mavericks are not affected by this bug.
And here is a lesson for Apple, they thought everything was going to be ok until iOS7 was released, think again, bugs exist to be fixed, especially critical bugs that lead to a DoS (Denial of Service)
EDIT:
For people in Androids to use this, it is better to copy the text from Cids twitter or this one: http://pastebin.com/raw.php?i=AEF3b444
No comments:
Post a Comment