X

CoreText bug may crash OS X and iOS apps

A flaw in Apple's text-handling routines may cause a number of OS X and iOS programs and services to crash and could be used for potential nefarious purposes.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

There is a bug in Apple's iOS and OS X operating systems that will cause the current application to crash if it attempts to render a specific string of Arabic characters.

The bug, found in the CoreText framework Apple uses in iOS and OS X, was apparently mentioned on Twitter as far back as February but recently gained attention among the coding and hacking communities. Apple so far has not acknowledged the issue or offered a fix, though researchers claim that while it affects prior versions of OS X and iOS, the latest developer previews of OS X Mavericks and iOS 7 are unaffected.

This suggests that Apple may be aware of the issue, and a fix may be in the works for prior versions of OS X, but it could also simply mean that changes Apple has made in the development of CoreText for the upcoming operating systems have fixed the issue on their own.

Nefarious Arabic character string
This string of Arabic characters will crash OS X programs and services if they use CoreText. Screenshot by Topher Kessler/CNET

Being that this bug affects any service or program that uses CoreText, it can, unfortunately, be used in a denial-of-service attack, where someone can send the string of characters as a text message, e-mail, iMessage, Web page, or even incorporate it in a Wi-Fi SSID or computer name on a network, and result in OS X systems and handling applications that interact with it crashing.

So far this has not been noted as happening, but is a possibility given the nature of this bug.

This situation in OS X comes a few months a similar one that occurred in OS X Mountain Lion in February of this year, where programs that attempted to render file address URLs would crash. Apple quickly fixed this issue, but the mishandling of Arabic characters, which has been around since the same time frame, has gone unfixed.

Hopefully Apple will address this problem soon, to prevent mischievous individuals from causing problems for users by sending them the string of characters.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.