Rendering bug crashes OS X, iOS apps with string of Arabic characters (Updated)

This nonsensical string of Arabic characters renders fine in Firefox, but it crashes any iOS or OS X browser that uses Apple's CoreText API.
Andrew Cunningham

There's a new bug in town, and it's here to crash your Mac and iPhone applications. Posters in a HackerNews thread from late yesterday have discovered that it's possible to crash Web browsers and other apps running on current versions of iOS and OS X by making them render a specific, nonsensical string of Arabic characters. The title of the HackerNews thread implies that the issue is with the WebKit browser engine, but it actually affects any browser or application that uses Apple's CoreText API to render text. Ars Microsoft Editor Peter Bright has taken great pleasure in sending the text string to his co-workers, which has crashed the Limechat IRC client and Adium chat client, among other programs.

Safari crashes in both OS X 10.8.4 and iOS 6.1.3 when it attempts to read the text string, and rendering the string in the current stable release of Chrome prompts the browser's typical "Aw snap!" error page (though Chrome's sandboxing implementation keeps the bug from bringing the whole browser down). Firefox, which uses its own font rendering engine, can display the text just fine. This supports the idea that it's a CoreText issue and not a problem with any particular application.

Some Mac and iOS device users on Twitter were only half joking when labeling the string the "unicode of death." Text messages that display the characters caused some people's iMessage apps to spiral into an extended crash loop, since the string would be displayed each time the user loads previously sent messages. Many e-mail programs were also felled by the text. It can even be triggered by including the text in the network name of a wireless access point, creating problems for vulnerable devices that encounter the name when a user looks for available connections. Tweets and other social networking dispatches were enough to cause browsers to crash, so within a few hours of the bug becoming public, Facebook was already preventing the characters from being posted to user walls and timelines by displaying the message below.

Read 4 remaining paragraphs | Comments