Developer - Security engineer[email protected]
In recent years, Apple has been heavily criticized for the security implications of their market centralization and policy of irreversible operating system updates. Mobile device users are strongly pressured to install packaged iOS upgrades that cannot be rolled back. While this practice greatly increases security for most users, there is an inherent danger to this centralization.
Every flaw or weakness leaves over 100 million Apple device users vulnerable to exploitation for illegal purposes. The most recent iPhone bug (CVE-2018-4124) has been wreaking havoc due to unexpected behavior when the operating system attempts to display a particular Indian character from the Telugu language.
Any application that attempts to display the character on an iOS device crashes instantly, and cannot recover until the offending character is removed. The entire device crashes and restarts if the character triggers the bug in a component of the operating system, such as SpringBoard. This can result in an endless bootloop that can only be halted by a Device Firmware Update (DFU) restore, which causes the loss of all data.
Unfortunately, this frustrating bug extends beyond the iPhone; users have reported the same flaw in other devices such as iPads, the Apple Watch, and Mac computers. It is remarkable that a company with Apple's resources overlooked such a widespread bug that affects their entire product line.
The ZWNJ separator used in the jñā symbol is an invisible (“non-printing”) character that slightly changes the appearance of the letters on either side. Some two-letter combinations are connected by a “ligature” between the characters.
If a ZWNJ is placed between the letters, the characters will be printed separately. This subtle visual modification typically does not change the meaning of the letters or word.
The following image shows a phrase featuring two frequently-connected letter combinations (“Th” and “fi”) displayed with a ligature (top) and separated by a ZWNJ (bottom).
When symbols are constructed from several characters, RAM memory must be allocated for each component. In this case, to display జ్ఞ the device must load: జ, ్, ఞ, ZWNJ, and ా.
An incorrect handling of the ZWNJ separator while combining the characters seems to be the cause of the Telugu bug. The symbol buffer in iOS returns a null pointer to the application, instead of a pointer to correctly allocated memory. When the application tries to access a memory location that doesn't exist, iOS detects this and revokes that application’s RAM read/write permissions to avoid further memory corruption.
Thus, the attempt to combine the separate Telugu characters into a single symbol results in the unrecoverable error:
The offending process is stopped abruptly to protect the core of the operating system from total corruption that would potentially “brick” the device, rendering it useless and unable to restore even from DFU mode.
This emergency halt occurs every time the system tries to display జ్ఞా with the ZWNJ. This does not mean that any ZWNJ character causes a potential stoppage of the anomalous application. Theoretically, if the Telugu symbol resides in an application like SpringBoard, the system will have no problem closing it, since it gives precedence to the Core of the iOS.
Apple quickly released a patch for this issue with iOS update 11.2.6 for iPhones and iPads. Notably, this is not the first time that Apple products have been afflicted with glitches caused by peculiar Unicode symbols. This is somewhat ironic, since Apple was one of the early leaders for implementation and standardization through Unicode.
Many Apple device operating systems (iOS, MacOS, WatchOS) share the same Core, which includes the kernel and key components of the operating system, such as the graphics engine for displaying fonts and icons. Consequently, vulnerabilities such as the Telugu bug are shared across the whole family of products.
Another misstep for Apple? Is this umpteenth mistake another consequence of the company’s prioritization of resources toward marketing instead of engineering and development?
English translation by Mitchell P. Krawiec-Thayer based on Italian article written by SerHack