BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

ABCDKERNELPANIC: Unicode vs. Apple Inc.

Posted August 29, 2013    BeyondTrust Research Team

Yesterday, Russian researchers publicly disclosed the presence of a denial of service vulnerability affecting OS X 10.8 and iOS 6. OS X 10.9 Mavericks and iOS 7 are unaffected. So what’s the big deal with this particular denial of service vulnerability? It’s remotely exploitable and is trivial to trigger. Stringing together a series of Unicode characters, Arabic \u062E\u0337\u0334\u0310\u062E, and making a target display the characters triggers the vulnerability, causing applications to crash immediately.

Malicious Unicode

Malicious Unicode

Third party applications such as Chrome and Twitter (on both iOS and OS X), as well as iOS built-in applications like Messages, crash when displaying the above Unicode. Attackers may even create malicious SSIDs and broadcast them in public places. When a target user goes to join a WiFi network, turn on WiFi, or check their WiFi, the malicious SSID may be rendered by Core Text, a text and font layout and handling mechanism within OS X and iOS. The resulting segmentation fault in Core Text may cause instability in OS X, or even make an iOS device reboot.

Social media services have seen users posting, tweeting, and sharing the malicious Unicode string, prompting Facebook to ban the string from future posts. Having your Twitter feed blow up a Chrome tab isn’t the end of the world, but certainly worth mentioning as curious members of the public and script-kiddies everywhere will be having fun with this until a fix is released.

Tags:
, , , , , , ,

Leave a Reply

Additional articles

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,
normal-blog-img

New IT Security Best Practices for Maintaining “Business as Usual” Despite Evolving Threats

Posted August 13, 2014    Morey Haber

It’s time to get back to business. Here in the U.S., summer vacations are wrapping up and businesses are looking forward to closing out 2014. Over the past year, we’ve seen several incidents that warrant changes in the ways consumers make purchases and businesses conduct transactions. Consider last week’s theft of a whopping 1.2 billion…

Tags:
, , ,