Apple Patches Indian Character Crash Bug in iOS, macOS

A flaw in the Apple Core Text framework enabled a simple character to crash any Apple device that attempted to render the symbol.


Over the past week, Apple device users have been hoping to avoid receiving a message with a specific Indian symbol that crashes devices simply by having a user view the symbol. Apple users can now breathe a sigh of relief as the so-called "text bomb" has been patched.

On Feb. 19, Apple patched the text bug across its various operating systems with the iOS 11.2.6, watchOS 4.2.3, tvOS 11.2.6 and macOS High Sierra 10.13.3 supplemental updates.

"Processing a maliciously crafted string may lead to heap corruption," Apple warned in its advisory.

The flaw is formally identified as CVE-2018-4124 and was an issue in the Apple Core Text framework. Core Text is the Apple software component that handles font and text layout with a low-level programming interface. According to Apple, CVE-2018-4124 was a memory corruption issue that has now been patched with improved input validation.

The character that was able to crash Apple devices is in the Telugu language, which is native to India. The issue was publicly reported on Feb. 12 and was actively being used in the days after it was first reported as a "text bomb," shutting down devices that attempted to render the text.  

Users did not have to click on a link to trigger a restart. Users simply had to view a page with the Telugu character on it. The text bomb was embedded by some individuals in Twitter messages, and it was also being placed in popular iOS game chats and forums, triggering device reboots. One security researcher used the Telugu text bomb in a test in which he was able to get the Uber app to crash on Uber drivers' devices.

The core of the Telugu text bomb issue in Apple's Core Text framework is related to how the software component handles Unicode character rendering. Mozilla researcher Manish Goregaokar did some analysis of the flaw and found that it could have been triggered by more than just the single Telugu character that was initially identified.

"From some experimentation, this bug seemed to occur for any pair of Telugu consonants with a vowel, as long as the vowel is not ై (ai), huh," Goregaokar wrote.  "And then I saw that there was a sequence in Bengali that also crashed."

In a thread on the Unicode mailing list titled "Unicode of Death 2.0," researcher Philipe Verdy said the cause of the Telugu text bomb was related to the fact that Apple's text rendering process was not properly allocating the right type of buffer for rendering certain text. Verdy noted that Microsoft's text rendering engine did not suffer from the same problem.

The Telugu text bomb issue is the latest in a series of updates from Apple in recent months that have been rapidly released after flaws have been publicly disclosed. On Jan. 23, Apple released the iOS 11.2.5 and macOS High Sierra 10.13.3 update fixing multiple security issues, including the ChaiOS flaw that enabled attackers to crash a device with a text link. 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.