Security News

Apple Releases Security Updates to Patch the Telugu Character Bug

Posted on February 22nd, 2018 by

The Telugu character that could crash your Mac and iPhone.

Apple has released security updates for macOS, iOS, tvOS and watchOS, patching a vulnerability that allowed a specific character in the Telugu language to crash apps.

Also known as CVE-2018-4124, the bug would cause apps to lock up or crash after the Telugu character was encountered on your Mac or iPhone. This could be Messages, Mail, WhatsApp, Skype, or any other app that can receive text, and this includes iOS itself as it parses the character through notifications.

Computers have no problems handling most languages, but some can present a challenge and Telugu is one of them. Paul Ducklin at NakedSecurity described the issue perfectly, saying:

"[M]any languages use a written form in which each character is made up of a combination of components that denote how to pronounce it, typically starting with a basic sound and indicating the various modifications that should be applied to it. [...] That's great when you are reading aloud, but not so great when you're a computer trying to combine a string of Unicode code points into a visual representation of a character for display."

With characters not only showing a letter but also how to pronounce them, some characters can cause issues for computers as the underlying code is more complex. This happened in 2013 and 2015, and again with the recent CVE-2018-4124, and this probably won’t be the last time we see this issue.

Friends pranking each other or folks with malicious intent purposely sticking these characters into emails, text messages or tweets can cause a lot of problems for people. Thankfully Apple jumped on this issue and quickly pushed out a fix.

Here is a breakdown of the updates and where you can install them.

macOS High Sierra 10.13.3 Supplemental Update

The macOS High Sierra 10.13.3 Supplemental Update fixes the issue in which using the Telugu character could cause apps to crash. Available for macOS High Sierra, this update can be downloaded on your Mac from the App Store > Updates tab, or you can download the update directly from Apple's official website by going here. iMac Pro users can download the update from Apple by going here.

While 10.12.6 Sierra and 10.11.6 El Capitan are still supported by Apple in terms of security updates, for whatever reason they did not receive any this week. Fixes for these older operating systems will likely be rolled into the next security update, if in fact these older systems require a fix for this bug.

iOS 11.2.6

iOS 11.2.6 addresses the same Telugu character bug mentioned above. It is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, and can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

watchOS 4.2.3

Apple's watchOS 4.2.3 update also addresses the Telugu combination character that provokes the Apple-crashing bug CVE-2018-4124. watchOS 4.2.3 can be installed by connecting your watch to its charger, and then on your iPhone go to Apple Watch app > My Watch tab > General > Software Update.

tvOS 11.2.6

This leaves us with tvOS 11.2.6, which, you guessed it, also received fixes for the Telugu character bug! This update is only available for Apple TV 4K and Apple TV (4th generation) users. The tvOS update can be downloaded directly from your Apple TV by going to Settings > System > Update Software.

Make sure you sync and backup your Macs and devices before applying these updates, and be sure to install them as soon as possible to mitigate the issues discussed here. Undoubtedly more bugs and vulnerabilities will be discovered in the future, but at least you'll be safe from this one going forward. 🙂

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}