The so-called ChaiOS message bug identified this week in Apple iOS devices will receive a fix with the rollout of the update for iOS 11.2.5, expected next week.
The update will address a flaw software developer Abraham Masri publicly identified in a tweet earlier this week, according to multiple published reports. The flaw causes the iMessage app on iOS devices to freeze, crash or restart.
Macs are also affected. A macOS High Sierra 10.13.3 update is expected later this month to fix the flaw.
Both Buzzfeed and MacRumors are reporting Apple confirmed an iOS fix would be available next week. While Apple won’t divulge specifics on the fix, news site WCCFTECH and others confirm that iOS 11.2.5 Beta 6, released late Wednesday, fixes the bug.
Apple did not return requests for comment.
The ChaiOS message bug, also called a “text bomb” flaw, made headlines Tuesday when Masri posted a hyperlink to code on his GitHub repository that activated the flaw. Recipients receiving messages via the iMessage app containing the link to the malicious code hosted on GitHub reported devices freezing and in some cases crashing. Recipients only needed to receive the malicious messages for the flaw to work, clicking on the link wasn’t required.
Meanwhile, Mac users reported the bug made their Safari browser crash or causes systems to slowdown.
👋 Effective Power is back, baby!
chaiOS bug:
Text the link below, it will freeze the recipient’s device, and possibly restart it. https://t.co/Ln93XN51Kq⚠️ Do not use it for bad stuff.
—-
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!— Abraham Masri (@cheesecakeufo) January 16, 2018
Since the initial report, Masri has removed the malicious code from his GitHub repository, but there is concern the code may be reposted elsewhere.
The bug’s impact on systems appears to be mostly a nuisance, with no reported side effects other than system freezes, crashes and restarts. Recipients of the malicious hyperlink need to quit the iMessaging app and delete the conversation to correct the problem.
According to Masri, the flaw takes advantage of Apple software developer guidelines that allowed a programmer to insert extra characters into a website’s HTML in order to customize the thumbnail image and title associated with hyperlink previews seen inside the iMessage app.
Masri was able to create iMessage “text bombs” by inputting hundreds of thousands of characters into a webpage’s metadata instead of just a few. That overloaded the app and caused iOS and MacOS to generate the multiple errors.
Source: ThreatPost
