Unicode bug

Error mechanism and remedy

Some operating systems and application programs have existed longer than Unicode . These systems were therefore originally developed for the ASCII character set. Support for Unicode was only introduced in later versions. For example, Microsoft introduced Unicode support for its operating systems in 1993 with Windows NT , but it included functions and libraries from the older OS / 2 and MS-DOS operating systems . Since the supported character set extends through all layers of a system (for example: OSI model ), the subsequent support of Unicode can lead to undesirable effects and security gaps .

Another systematic source of error is the further development of Unicode, with which some operating systems and application programs do not keep pace, even if they were developed natively for Unicode. Originally a Unicode character in UTF-16 could only consist of 2 bytes , since Unicode 3.1 it can be 2 or 4 bytes depending on the character. The introduction of new control characters (e.g. right-to-left control characters ) can also lead to unexpected behavior.

There are big differences in the support of different encodings such as UTF-8 and UTF-16 . Software developed only for UTF-8 will exhibit undesirable behavior when receiving UTF-16 messages and vice versa.

The actual error mechanism (or the security gap) differ depending on the bug and the affected system. What the bugs have in common is that the mere reception or the display of a UTF sequence leads to incorrect behavior. Therefore, the vulnerable system is the module that displays the UTF text (e.g. a browser's rendering engine ) or forwards it. There is a "skip" between the display and a behavior of the system, i. H. the characters to be displayed become program instructions (as with "IPP Integer Overflow") or at least lead to infinite loops that cause the system to crash (as with "Black Dot").

There is no universal antidote to Unicode bugs. As with computer viruses , the protection starts with the affected system itself, which should be updated with a patch . The spread of the error-triggering Unicode sequences can also be hindered, as Facebook did with the “Effective Power” bug.

Known Unicode bugs

The following list in chronological order is an example.

"IPP Integer Overflow Exploit" on Microsoft IIS (2000)

The "IPP Integer Overflow Exploit" (also "IPP Buffer Overrun Vulnerability") occurred with the Internet Printing Protocol (IPP), as implemented by Microsoft as ISAPI in Microsoft Internet Information Services (IIS). The bug was first published in October 2000. In October 2001 the FBI in cooperation with the System Administration, Networking, and Security (SANS) institute put the bug under the name "Unicode Vulnerability (Web Server folder traversal)" in second place among the Windows -specific security holes , ranked according to danger. The bug has been fixed as of IIS version 6.

The exploit uses a different size of the buffer for ASCII and Unicode. The exploited error can be found in the implementation of IPP, not in the IIS server itself. The attack using buffer overflow allows programming code to be executed on the web server at the attacker's discretion. The code can have local security rights that allow unrestricted access. The attack can also take the form of Denial of Service (DoS) by starting a large number of processes on the attacked IIS server that do not terminate. This uses up the resources of the attacked system.

"Unicode of Death" on Apple iOS (2013)

"Effective Power" on Apple iOS (2015)

The Effective Power Bug (also referred to as "Unicode of Death" based on earlier incidents) appeared on Apple iOS devices such as the iPhone or iPad from May 2015 . The triggering string of 75 characters in length was a. from the text “effective. Power ”and Arabic characters. The bug was in Apple's core text API , which is responsible for text display and fonts. After the problem became known at the end of May 2015, the character string had spread in messenger programs.

Due to the bug, it was sometimes not possible to restart a program that shows the triggering character string on the start screen. As a temporary solution, Apple recommended deleting the relevant message with the help of Siri , since Siri only works with voice control and without displaying the character string. The recurrence of the problem could then be remedied by generally turning off the display of notifications in the affected apps . Apple announced a bug fix in the upcoming software update at the end of May 2015 . From the beginning of June 2015, the display of the character string was suppressed in Facebook Messenger .

"Single Unicode Symbol" on Apple iOS (2018)

In February 2018, a bug became known that affects iPhones up to version iOS 11.2.5 and MacBook with OS 10.13 ("High Sierra"). The bug causes Mail, Twitter and Chrome to crash, sometimes a reinstallation is required. Unlike most other Unicode input bugs, this bug only requires a single symbol and has been reported. a. via a symbol made up of letters from the Indian language Telugu .

"Black Dot" on Apple iOS and Android (2018)

The black dot bug took effect on iPhones and iPads with iOS 10 or 11 from May 2018 onwards. A certain string of characters crashed the native news app. The string had to contain certain emojis, e.g. a. a black point and a hand.

The bug was first published in May 2018, and occurs on Android devices. The message only seems to consist of a black dot, which gave the bug its name. However, the triggering messages also contain invisible text. These exploit a vulnerability of the Android text display engine and use symbols that control the display direction of the text (left-to-right or right-to-left).

Individual evidence

1. ↑ Stuart McClure, Saumil Shah, Shreeraj Shah: Web Hacking: Attacks and Defense . Addison-Wesley, Boston 2003, ISBN 9780201761764 , pp. 144-146 .
2. ^ John Leyden: FBI lists 20 most dangerous Internet security holes . In: The Register of October 3, 2001.
3. ↑ Volker Hockmann et al .: Security of Webservers and Webservices . In: Electronic Services: Concepts, Methodologies, Tools and Applications . IGI Global, 2010, ISBN 9781615209682 , pp. 1864f .
4. ^ David LeBlanc, Michael Howard: Writing Secure Code , 2nd edition. Pearson Education, 2002, ISBN 9780735637405 , pp. 153-155 .
5. ↑ Microsoft: Microsoft Security Bulletin MS01-023 : Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server . First published on May 1, 2001.
6. ^ John Leyden: Unicode bug restyled as DoS tool . In: The Register of July 3, 2001.
7. ↑ ^{a b} Amit Chowdhry: Apple Acknowledges Disastrous iPhone Messages Bug, Suggests This Temporary Fix . In: Forbes, May 29, 2015.
8. ↑ Chris Williams: Anatomy of a killer bug: How just 5 characters can murder iPhone, Mac apps . In: The Register of September 4, 2013.
9. ^ Iain Thomson: That EVIL TEXT that will CRASH your iPhone: We pop the hood . In: The Register of May 27, 2015.
10. ↑ Shaun Nichols: Siri, please save my iPhone from the messages of death . In: The Register of May 29, 2015.
11. ↑ Leo Becker: iOS: Facebook blocks "Message of Death" . In: heise online from June 5, 2015
12. ↑ Taylor Hatmaker: This new text bomb crashes most Mac and iOS apps with a single Unicode symbol . In: Techcrunch of February 15, 2018.
13. ↑ Thomas Claburn: Apple Macs, iThings, smart watches choke on tiny Indian delicacy . In: The Register of February 15, 2018
14. ↑ Leo Becker: “Black Dot Bug” in iOS 11: String paralyzes the messaging app on the iPhone . In: Mac & i of May 9, 2018.
15. ↑ Martim Lobao: There's an emoji message that freezes or completely crashes apps, but it's no big deal . In: androidpolice.com of May 5, 2018.