Apple Preps ChaiOS iMessage Bug Fix for Next Week

A so-called ‘text bomb’ flaw in Apple’s iPhone and Mac computers that causes devices to crash or restart will be patched next week, according to multiple sources.

UPDATE

The so-called ChaiOS message bug identified this week in Apple iOS devices will receive a fix with the rollout of the update for iOS 11.2.5, expected next week.

The update will address a flaw software developer Abraham Masri publicly identified in a tweet earlier this week, according to multiple published reports. The flaw causes the iMessage app on iOS devices to freeze, crash or restart.

Macs are also affected. A macOS High Sierra 10.13.3 update is expected later this month to fix the flaw.

Apple confirmed to Threatpost an iOS software fix would be available next week. Apple didn’t divulge specifics on the fix, however news site WCCFTECH  and others confirm that iOS 11.2.5 Beta 6, released late Wednesday, fixes the bug.

The ChaiOS message bug, also called a “text bomb” flaw, made headlines Tuesday when Masri posted a hyperlink to code on his GitHub repository that activated the flaw. Recipients receiving messages via the iMessage app containing the link to the malicious code hosted on GitHub reported devices freezing and in some cases crashing. Recipients only needed to receive the malicious messages for the flaw to work, clicking on the link wasn’t required.

Meanwhile, Mac users reported the bug made their Safari browser crash or causes systems to slowdown.

https://twitter.com/cheesecakeufo/status/953401511429726210

Since the initial report, Masri has removed the malicious code from his GitHub repository, but there is concern the code may be reposted elsewhere.

The bug’s impact on systems appears to be mostly a nuisance, with no reported side effects other than system freezes, crashes and restarts. Recipients of the malicious hyperlink need to quit the iMessaging app and delete the conversation to correct the problem.

According to Masri, the flaw takes advantage of Apple software developer guidelines that allowed a programmer to insert extra characters into a website’s HTML in order to customize the thumbnail image and title associated with hyperlink previews seen inside the iMessage app.

Masri was able to create iMessage “text bombs” by inputting hundreds of thousands of characters into a webpage’s metadata instead of just a few. That overloaded the app and caused iOS and MacOS to generate the multiple errors.

(This story was updated 1/19/18 at 2:30 pm ET to include Apple’s confirmation of a software fix.)

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.