Apple Rushes Fix for Latest ‘Text Bomb’ Bug As Abuse Spreads

Apple said it is working on a fix for the latest text bomb bug that crashes a number of iOS and Mac apps that display specific Telugu language characters.
The bug, first reported by Italian Blog Mobile World, impacts a wide range of Apple apps running on iOS and macOS. While some iPhone users are reporting system crashes, others are reporting cases where the specially crafted message disables access to Apple’s iMessage and other apps such as WhatsApp, Facebook Messenger, Outlook and Gmail running on the latest version of Apple’s operating system (iOS 11.2.5).

Apple declined to comment, however confirmed to Threatpost a fix would be available soon and that publicly available beta versions of iOS, tvOS, macOS and watchOS are not impacted by the bug.
This most recent text bomb bug is triggered when someone sends two Unicode symbols using the Indian language (Telugu) characters to iOS and macOS apps using Apple’s default San Francisco font. When the message is received Apple’s home screen manager called Springboard hiccups resulting in apps freezing. In other reported instances devices crash and require a restart. In many cases, users can’t reopen affected apps and are forced to delete and reinstall the affected application.
Knowledge of the bug has motivated a wide range of malicious or prank attacks on Twitter. According reports, not only are some sending Telugu text bomb’s as private messages, but also using social media platforms such as Twitter.
“A Twitter user with the symbol in their screenname ‘liked’ one of my tweets late on Thursday night. Shortly after the notification popped into my feed, my Twitter app on iOS became briefly unresponsive before crashing,” described Motherboard contributor Joseph Cox in post Thursday.
In addition, Cox pointed out a post by security researcher Darren Martyn that showed how people could crash Apple’s networking application simply by putting the symbol in the name to the Wi-Fi network.

Apple is no stranger to text bombs. In January, Apple dealt with a similar iOS headache tied to a specific URL. In that case, when the URL (iabem97[.]github[.]io/chaiOS/) was sent to the iPhone, iPad or Mac’s Messages app it brought it to a grinding halt. In 2016, another malicious URL crashed iPhones and the Safari browser.
The flaw was reported to Open Radar, an Apple community bug reporting site, on Monday. According to the report, impacted Apple operating systems include iOS, MacOS and watchOS.

Intel Expands Bug Bounty Program Post-Spectre and Meltdown

In the wake of the Spectre and Meltdown bugs, Intel has rolled out a significant expansion of its bug bounty program.
Intel first launched the program in March 2017. The big changes include a shift from an invitation-only format to one that is open to all security researchers. One key addition is a program for side-channel vulnerabilities, which are associated with the Spectre and Meltdown vulnerabilities.

Both vulnerabilities, which were first publicized in January, are at the CPU level.
Spectre impacts a wide range of CPUs from Intel, AMD and other makers, while Meltdown affects Intel processors. Meltdown breaks the security boundaries between a device’s operating system and applications, allowing an attacker to read information in the latter. Spectre inhibits the memory isolation between applications, and is considered by researchers to be more difficult to exploit.
Intel’s new program for side-channel vulnerabilities is valid through Dec. 31. Reports on side-channel bugs rated between 9.0 and 10.0 on the (CVSS) Common Vulnerability Scoring System scale will pay out up to $250,000. Vulnerabilities rated between 7.0 and 8.9 will carry a bounty of as much as $100,000. Below the 7.0 threshold, awards max out at $20,000.
“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge,” said Rick Echevarria, VP and GM of platform security, in a blog post.
Since Spectre and Meltdown were disclosed last month, it has struggled to issue effective patches for the vulnerabilities. In one case, it asked customers to stop applying patches because the fixes caused excessive system reboot and other problems.
To that end, the scope of Intel’s proposed awards in the bug bounty program may underscore how serious the company believes the vulnerabilities are.
As context, Google only recently introduced a bug bounty program for the Play store, initially offering $1,000 per RCE vulnerability and raising that potential reward to up to $5,000 earlier this month.
Intel is partnering with HackerOne on its bug bounty program. In June, HackerOne said the average bounty payout in 2016 was $1,923, a rise of 16 percent over the previous year.

Facebook told to stop stalking Belgians or face fines of €250k – a day

Facebook has been told to stop tracking Belgian citizens' online habits, and to delete all the data it holds on them, or it could be fined up to €100m.
The Brussels Court of First Instance today ruled that Facebook doesn't provide users with enough information on what data it gathers on people's web use or how long that data is retained.

Advertisement

The case, brought by the Belgian Privacy Commission, asked the court to consider the information that Facebook collects about web browsing.
It focuses on the cookies, social plug-ins – such as the "like" or "share" buttons – and invisible pixels that litter the internet, and how Facebook uses them to collect information on their browsing behaviour.
The ruling is the second major case Facebook has lost this week, after a German court ruled the biz hadn't done enough to alert people to the pre-ticked privacy settings on its mobile app.
However, the Belgian judgment comes with a hefty fine that could see the biz paying out more than €100m if it doesn't get its act in line with the country's privacy laws.
According to Belgian site Bruzz, Anouk Devenyns, the press judge at the court, said: "Facebook does not inform us enough about the fact that it collects information about us, about the nature of the information it collects about us, about what it does with that information and about how long it stores that information."
Devenyns added that it "does not get a valid permission to collect and process all that information".
The Zuckerborg has now been told to stop tracking and registering users' browsing habits until it complies with Belgian privacy laws, and that it must delete all the personal data the court deems it has collected illegally.
If it doesn't, the court has said it could be fined €250,000 a day, with a maximum of €100m, according to Bruzz.
Philippe De Backer said on Twitter that this was a "victory for privacy" and that it was now clear that companies must stop tracking people online.

Facebook, however, said that it was "disappointed" with the verdict and would appeal.
"Over recent years we have worked hard to help people understand how we use cookies to keep Facebook secure and show them relevant content," said Richard Allan, veep of public policy in EMEA.

Advertisement

"The cookies and pixels we use are industry-standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU.
"We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads."