BF-SIRT Newsletter 2018-08

Apple fixes that “1 character to crash your Mac and iPhone” bug

Apple has pushed out an emergency update for all its operating systems and devices, including TVs, watches, tablets, phones and Macs.

The fix patches a widely-publicised vulnerability known officially as CVE-2018-4124, and unofficially as “one character to crash your iPhone”, or “the Telugu bug”.

  • Telugu is a widely-spoken Indian language with a writing style that is good news for humans, but surprisingly tricky for computers.
  • Computers can store and reproduce English words really easily, because there are only 26 symbols (if you ignore lower-case letters, the hyphen and that annoying little dingleberry thing called the apostrophe that our written language could so easily do without).
  • Many languages use a written form in which each character is made up of a combination of components that denote how to pronounce it, typically starting with a basic sound and indicating the various modifications that should be applied to it.
  • In English, each left-arrow or right-arrow simply moves you one character along in the current line, and one byte along in the current ASCII string, but what if there are four different sub-characters stored in memory to represent the next character that’s displayed?

For your iPhone, you ‘ll be updating to iOS 11.2.6; for your Mac, you need the macOS High Sierra 10.13.3 Supplemental Update.

Top 5 Security links