TechCrunch
Bug In Apple's CoreText Allows Specific String Of Characters To Crash iOS 6, OS X 10.8 Apps
A bug in Apple’s CoreText rendering engine in iOS 6 and OS X 10.8 causes any apps that try to render a string of Arabic characters to crash on sight. The string of characters which can trigger the bug — which was discovered yesterday and has spread around the hacking and coding community — has made its way to Twitter, where even looking at it in your timeline will crash the app.
The issue affects apps on iOS 6 and OS X 10.8 but does not work on OS X 10.9 Mavericks and iOS 7 beta releases. So whatever bug the characters are triggering, they’ve already been fixed in future releases of the engine. This doesn’t help anyone still on iOS 6 of course.
Because it’s a CoreText bug, any apps that access this font framework to render text are affected. This means that any apps that use WebKit like Safari are also affected because WebKit uses CoreText.
This is a picture of the string of characters, not replicated here for obvious reasons:
If you’d care to experience the bug for yourself, feel free to seek out the tweet in the pic above, I’m not posting a link. For the record: Tweetbot appears to be immune to this, though it also uses the CoreText engine.
The characters were discovered and posted on a Russian site yesterday morning. The site claims that Apple has known about the problem for ‘six months’ and has not reacted. The posting includes a request to click the crash report button on any apps affected and report it to Apple.
The malicious possibilities are simple: if you send the characters in an SMS, it can initiate a revolving crash of Messages on both OS X and iOS. We confirmed this on both operating systems. You can also deliver the string of text via a web link.
Even worse, you can change the name of a wireless network to the characters and it will crash any device that scans that network to connect.
Looks like Facebook has blocked the unicode string from being posted on walls and timelines: pic.twitter.com/RInKAkDsgY
— NickDe (@nickdepetrillo) August 29, 2013
The Facebook team has already caught onto the bug and will no longer allow you to post this particular string to its site. An error message is presented alerting you that your post contains a security vulnerability.
We’ve reached out to Apple about the bug and will update this post if we receive a response.
More to follow…
Facebook Updates Its Policy Documents Regarding How It Uses And Shares Your Data
Today Facebook proposed a raft of changes to its Statement of Rights and Responsibilities and Data-Use Policies, two separate documents that govern the way the company handles advertising, user data, and third-party retention of that data.
The updates are “proposals,” Facebook tells me, and so they will accept and review comments on them from its user community. However, I doubt that the company is up for much iteration. As its Chief Privacy Office Erin Egan noted in a short statement, Facebook is “proposing this update as part of a settlement in a court case relating to advertising.”
The proposals are broad and varied, so we have some ground to cover:
Ads
The rewritten section about ads is clear: “You give us permission to use your name, profile picture, content, and information in connection with commercial, sponsored, or related content.” In other words, Facebook can use anything you have uploaded in its advertising algorithms and systems.
This is neither surprising nor out of bounds. That Facebook would employ public information supplied by its users to generate revenue is hardly evil. Importantly, Facebook will respect your privacy choices in how it uses your content: “If you have selected a specific audience for your content or information, we will respect your choice when we use it.” Good.
Legal
Another change to the rules will be of interest to the litigious among you: Legal action against Facebook is now limited to the U.S. District Court for the Northern District of California, or in a state court “located in San Mateo County.” The prior set of rules demanded a Santa Clara court, but the company moved its headquarters, thus requiring the change.
Data Usage
Facebook changed its data-usage rules, as well. The company now claims the right to know what sort of computer or other device you are using. So, it can tell if you are on Android or the like. This is somewhat innocuous, though Facebook does retain the right to — and this is not new — “get your GPS or other location information so we can tell you if any of your friends are nearby.” Big Facebook. That buzzing on your phone is your friend checking into the bar a block away.
Sharing Your Data
Facebook also claims the right to share your public information with others: “We may enable access to public information that has been shared through our services, or allow service providers to access information so they can help us provide service.” In other words, Facebook can vend your public information to others. Lock down whatever you really don’t want out there, folks.
Data Retention by Third Parties
When you sign up for an application, it requests access to your information, perhaps your email address or other datum. It can store that information if it wants, on its own servers, and keep it, even if you have deleted the application itself from Facebook.
Thus, what you provide to an application at the start you should presume to be theirs in perpetuity. When you delete an application, the connection is severed, but their copy — provided that they made one — remains. You can directly reach out to the company and request that your information be deleted.
However, provided that the terms of service of the third-party app or game don’t require them to do so, I don’t see how you have much standing as a single user. That information is therefore in their hands. Facebook has stern rules about how that data can be used, it should be noted. I think the language is strong. Still, I have a slight frown about this. I had never given the issue much thought, and honestly thought that applications merely accessed my information via my permission from Facebook itself — that the data was always on Facebook’s side. That is not the case.
Reason to stop using Facebook? That’s your call. Reason to stop downloading every dating app on Friday night after a few too many gin and tonics and granting them all rights to just about your entire Facebook data set? Yeah, probably.
–
The changes confirm that Facebook wants to use your data as much as possible to generate advertising incomes, and that other parties want as much access to your data as possible. If you feel a creeping sensation on the back of your neck, recall that privacy is evolving, and what cooly irks you today is something that would have made you hopping mad five years ago. Our tolerance for sharing is constantly expanding, not receding.
A section-by-section teardown of the changes can be found here in case you want to get into the weeds.
Top Image Credit: Acid Pix
No comments:
Post a Comment