BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

ABCDKERNELPANIC: Unicode vs. Apple Inc.

Posted August 29, 2013    BeyondTrust Research Team

Yesterday, Russian researchers publicly disclosed the presence of a denial of service vulnerability affecting OS X 10.8 and iOS 6. OS X 10.9 Mavericks and iOS 7 are unaffected. So what’s the big deal with this particular denial of service vulnerability? It’s remotely exploitable and is trivial to trigger. Stringing together a series of Unicode characters, Arabic \u062E\u0337\u0334\u0310\u062E, and making a target display the characters triggers the vulnerability, causing applications to crash immediately.

Malicious Unicode

Malicious Unicode

Third party applications such as Chrome and Twitter (on both iOS and OS X), as well as iOS built-in applications like Messages, crash when displaying the above Unicode. Attackers may even create malicious SSIDs and broadcast them in public places. When a target user goes to join a WiFi network, turn on WiFi, or check their WiFi, the malicious SSID may be rendered by Core Text, a text and font layout and handling mechanism within OS X and iOS. The resulting segmentation fault in Core Text may cause instability in OS X, or even make an iOS device reboot.

Social media services have seen users posting, tweeting, and sharing the malicious Unicode string, prompting Facebook to ban the string from future posts. Having your Twitter feed blow up a Chrome tab isn’t the end of the world, but certainly worth mentioning as curious members of the public and script-kiddies everywhere will be having fun with this until a fix is released.

Tags:
, , , , , , ,

Leave a Reply

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,