BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

ABCDKERNELPANIC: Unicode vs. Apple Inc.

Posted August 29, 2013    BeyondTrust Research Team

Yesterday, Russian researchers publicly disclosed the presence of a denial of service vulnerability affecting OS X 10.8 and iOS 6. OS X 10.9 Mavericks and iOS 7 are unaffected. So what’s the big deal with this particular denial of service vulnerability? It’s remotely exploitable and is trivial to trigger. Stringing together a series of Unicode characters, Arabic \u062E\u0337\u0334\u0310\u062E, and making a target display the characters triggers the vulnerability, causing applications to crash immediately.

Malicious Unicode

Malicious Unicode

Third party applications such as Chrome and Twitter (on both iOS and OS X), as well as iOS built-in applications like Messages, crash when displaying the above Unicode. Attackers may even create malicious SSIDs and broadcast them in public places. When a target user goes to join a WiFi network, turn on WiFi, or check their WiFi, the malicious SSID may be rendered by Core Text, a text and font layout and handling mechanism within OS X and iOS. The resulting segmentation fault in Core Text may cause instability in OS X, or even make an iOS device reboot.

Social media services have seen users posting, tweeting, and sharing the malicious Unicode string, prompting Facebook to ban the string from future posts. Having your Twitter feed blow up a Chrome tab isn’t the end of the world, but certainly worth mentioning as curious members of the public and script-kiddies everywhere will be having fun with this until a fix is released.

Tags:
, , , , , , ,

Leave a Reply

Additional articles

webinar_ondemand

On Demand Webinar – Why You Still Suck at Patching

Posted March 27, 2015    Lindsay Marsh

On Demand Webinar: Dave Shackleford recounts some of his personal experiences in patch management failure, and breaks down the most critical issues holding many teams back from patching more effectively.

Tags:
,
dave-shackleford-headshot

Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

Tags:
, ,
infographic

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.

Tags:
,