Apple MacOS X/iOS 以前 OS X 10.9/iOS 7 CoreText API Arabic Characters 拒绝服务

CVSS 元临时分数	当前攻击价格 (≈)	CTI兴趣分数
7.2	$0-$5k	0.00

摘要信息

分类为棘手的漏洞已在Apple MacOS X and iOS中发现。相关的是未知函数，在CoreText API组件中。对作为Arabic Characters的一部分的操作导致拒绝服务。另外，有可用的漏洞利用。建议升级受影响的组件。

分类为棘手的漏洞已在Apple MacOS X and iOS中发现。相关的是未知函数，在CoreText API组件中。对作为Arabic Characters的一部分的操作导致拒绝服务。采用 CWE 描述该问题会链接到 CWE-404。此安全漏洞在 2013-08-28 由adamzegelin 以Rendering bug crashes OS X, iOS apps with string of Arabic characters编号以Posting （网站）公开发布。索取公告的网址是news.ycombinator.com。未与供应商协商即进行了公开发布。披露内容包括：

Some Mac and iOS device users on Twitter were only half joking when labeling the string the "unicode of death."

暂无技术细节。该漏洞的流行度低于平均水平。另外，有可用的漏洞利用。该漏洞的利用方式已向公众披露，存在被利用的风险。目前漏洞的结构决定了可能的价格范围为美元价USD $0-$5k。公告指出：

Security researchers, meanwhile, have been poring over crash dumps like this one for signs that the bug could be used for even more nefarious purposes, such as remotely executing malicious code on a vulnerable device.

如果存在长度，则其被声明为高功能性。该漏洞利用的共享下载地址为：zhovner.com。估计零日攻击的地下价格约为$25k-$100k。公告指出：

Tweets and other social networking dispatches were enough to cause browsers to crash, so within a few hours of the bug becoming public, Facebook was already preventing the characters from being posted to user walls and timelines by displaying [a] message.

升级到版本 OS X 10.9 , iOS 7 可以解决此问题。建议升级受影响的组件。公告包含以下备注：

This translated habrahabr.ru post about the bug claims that the issue has been fixed in both OS X 10.9 and iOS 7, so affected users who also happen to be early adopters of new Apple software should be able to get a fix soon. However, there's no word on whether future updates to iOS 6 or OS X 10.8 will fix the issue for users who can't or don't want to upgrade.