There's a new bug in town, and it's here to crash your Mac and iPhone applications. Posters in a HackerNews thread from late yesterday have discovered that it's possible to crash Web browsers and other apps running on current versions of iOS and OS X by making them render a specific, nonsensical string of Arabic characters. The title of the HackerNews thread implies that the issue is with the WebKit browser engine, but it actually affects any browser or application that uses Apple's CoreText API to render text. Ars Microsoft Editor Peter Bright has taken great pleasure in sending the text string to his co-workers, which has crashed the Limechat IRC client and Adium chat client, among other programs.

Safari crashes in both OS X 10.8.4 and iOS 6.1.3 when it attempts to read the text string, and rendering the string in the current stable release of Chrome prompts the browser's typical "Aw snap!" error page (though Chrome's sandboxing implementation keeps the bug from bringing the whole browser down). Firefox, which uses its own font rendering engine, can display the text just fine. This supports the idea that it's a CoreText issue and not a problem with any particular application.

Some Mac and iOS device users on Twitter were only half joking when labeling the string the "unicode of death." Text messages that display the characters caused some people's iMessage apps to spiral into an extended crash loop, since the string would be displayed each time the user loads previously sent messages. Many e-mail programs were also felled by the text. It can even be triggered by including the text in the network name of a wireless access point, creating problems for vulnerable devices that encounter the name when a user looks for available connections. Tweets and other social networking dispatches were enough to cause browsers to crash, so within a few hours of the bug becoming public, Facebook was already preventing the characters from being posted to user walls and timelines by displaying the message below.

This translated habrahabr.ru post about the bug claims that the issue has been fixed in both OS X 10.9 and iOS 7, so affected users who also happen to be early adopters of new Apple software should be able to get a fix soon. However, there's no word on whether future updates to iOS 6 or OS X 10.8 will fix the issue for users who can't or don't want to upgrade. That post also implies that Apple has known about the issue for six months, and this tweet from February 19 implies this isn't the first time the issue has been found (that link may crash your browser if you're on iOS or OS X, so proceed with caution).

Security researchers, meanwhile, have been poring over crash dumps like this one for signs that the bug could be used for even more nefarious purposes, such as remotely executing malicious code on a vulnerable device.

"It's unclear whether or not this could be leveraged to accomplish more than crashing the target," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars. "This depends on the degree to which the invalid memory access can be controlled by the attacker input, and whether the access is a read violation (which might be leveraged to leak information about the target process for use in more complex attacks) or a write violation (which might be used to gain arbitrary code execution). But to be absolutely clear, there is no evidence at this time that this can be leveraged for anything more than an application crash."

Unless we learn more, Ars mostly considers this bug a potential inconvenience or annoyance for users of vulnerable devices. That could change if someone figures out how to blast the characters into messages that are consumed by large numbers of Mac and iOS users or if attackers find a way to trigger remote code execution. Again, one option for working around the threat is to use the Firefox browser as much as possible, because it doesn't rely on CoreText for rendering and is unfazed by the exploits.