PSA: New Character Bug in Messages Causing iOS Devices to Crash [Updated]

[az431]

wow, lots of critical bugs coming out of Cupertino lately. Mail security bug and now this.

That's quite a list you have there. Two.

And yesterday your list of examples would have had one on it.

 

[fredrik9]

Nothing new really. iMessage has had a long history of these vulnerabilities. If you want security and reliability you use something else for messaging, mail, etc.

It really has nothing to do with iMessage. It works on Telegram, Twitter etc. as it says in the article. It is on the OS level.

 

[Westside guy]

It's nothing new, nor is it specific to iOS - but it's ridiculous that a flaw in an application can crash an entire system.

 

[iBluetooth]

How hard can it possibly be to just have something like:

try {
    renderText();
} catch (Exception e) {
    renderUnprintable();
    reportToApple(e);
}

I know, that's Java and Apple would actually use Swift, but still, how hard can it possibly be to just not let the exception through?

It probably has to do with the utf-string library and thus, not direclty the fault of the iMessage programmers.

 

[CarlJ]

Great. Looking forward to receive texts like these again!

If you get them from people you know, it's a great way to find out who to block permanently.

 

[outskirtsofinfinity]

Isn't it time to scrap all these crazya$$ fonts, which pose a national security risk, and go back to just plain normal English plus maybe dingwingbats?

 

[iBluetooth]

Right - this seems pretty easy to unit-test. Just use Chaos Monkey or something and have it throw every possible combination of characters at it.

You know there are trillions of character glyphs and thus the combination is in a stratospheric number.

 

[CarlJ]

Isn't it time to scrap all these crazya$$ fonts, which pose a national security risk, and go back to just plain normal English plus maybe dingwingbats?

Please no. Unicode fixed an enormous number of communication problems for computers. Going back to what we had before would be roughy akin to taking medicine back to before we had antibiotics and anesthesia. Plus, English only covers the majority of the US, part of Canada, England, and India (and a few other spots). There are a lot of other countries we'd like to converse with.

 

[outskirtsofinfinity]

You know there are trillions of character glyphs and thus the combination is in a stratospheric number.

If Apple has to resort to bombarding their input with every combination and permutation of every glyph in existence in order to ascertain there are no issues, then they have got everything backwards. It's better to develop a good systematic understanding of their own code and keep userspace strings from interfering with the kernel code (or whatever). Some computer languages make this a fairly easy task - they keep (and treat) strings as strings and do a great job compartmentalizing. It ain't rocket science.

 

[Analog Kid]

You know there are trillions of character glyphs and thus the combination is in a stratospheric number.

And yet other people seem to be able to find the fun ones... it would be nice if Apple deployed the resources to find them first.

 

[EM2013]

You can pretty much already do this. You can have unknown numbers be sent to voicemail, and unknown texts be filtered into a separate list. You'll get no notifications for either these.

*iMessages only. Normal texts still come through normally.

I don’t know if that prevents this bug though, as the message technically still goes through.

 

[jdavid_rp]

And its already fixed with jailbreak...

 

[I7guy]

Somebody is devoting a significant amount of time to find these things.

 

[timduck]

the emoji obsession has finally paid off apple
just what we need, useless emoji that creates bugs
it just works, i guess not anymore

 

[I7guy]

If Apple has to resort to bombarding their input with every combination and permutation of every glyph in existence in order to ascertain there are no issues, then they have got everything backwards. It's better to develop a good systematic understanding of their own code and keep userspace strings from interfering with the kernel code (or whatever). Some computer languages make this a fairly easy task - they keep (and treat) strings as strings and do a great job compartmentalizing. It ain't rocket science.

With at least 40 million lines of in windows (Xp) and lots in iOS it is rocket science. If it were so easy windows being in existence for 30 years should be bug free.

 

[Mascots]

How hard can it possibly be to just have something like:

try {
    renderText();
} catch (Exception e) {
    renderUnprintable();
    reportToApple(e);
}

I know, that's Java and Apple would actually use Swift, but still, how hard can it possibly be to just not let the exception through?

Previous bugs (like the Telugu character) caused TextKit's rendering to loop which eventually led to the crash because the system terminated non-responding process. There wasn't really a place to catch the error and print what could be rendered because the system didn't know it/what couldn't be rendered.

That's not to say that something like this couldn't have been guarded against... but programming pretty much every language in its full complexity is one hell of a job. There's many things not quite as simple as the romance languages where rendering just moves forward in a straight line.

 

[thejadedmonkey]

It probably has to do with the utf-string library and thus, not direclty the fault of the iMessage programmers.

How hard is it to have a test for every UTF character? Seriously, verify("A"), verify("B")...

 

[zorinlynx]

Oh damn. I installed 13.4.5 beta 2 earlier to mitigate the E-mail vulnerability, and today a new bug that's fixed in that update pops up.

Best choice ever to install an otherwise meaningless beta!

 

[CarlJ]

Oh damn. I installed 13.4.5 beta 2 earlier to mitigate the E-mail vulnerability, and today a new bug that's fixed in that update pops up.

Best choice ever to install an otherwise meaningless beta!

Well, but it’s on your testing device, obviously not on your primary phone, so no big deal.

 

[tennisproha]

Received FROM a malicious person. Not BY.

Maybe they’re malicious by nature

 

[ritmomundo]

How is something like this even discovered?

 

[subjonas]

How can characters in a message crash an entire computer? How do computers even work?

 

[Lucas284]

I can’t use Twitter right now because people are using the characters 😐

 

[idmean]

Nothing new really. iMessage has had a long history of these vulnerabilities. If you want security and reliability you use something else for messaging, mail, etc.

Something like this would be cool, right?

 

[iMacDragon]

How hard is it to have a test for every UTF character? Seriously, verify("A"), verify("B")...

It's not nearly as simple as that, because UTF characters can combine to create new ones. That's where the issues come in.