CoreText exploit analyzed

An analysis has been conducted on the recently-uncovered CoreText exploit, to determine exactly how it worked. The expolit crashed apps when malicious text messages and emails were opened on iOS devices and Macs. The exploit had to do with negative-length strings, according to The Register

Apple's CoreText rendering system uses signed integers to pass around array indexes and string lengths. A negative length, -1, is passed unchecked to a library function which uses it as an unsigned long integer to set the bounds of an array. This causes the library to attempt to read beyond the end of an array and into unallocated memory, triggering a fatal exception.

Apple is rumored to have fixed this exploit in both Mavericks and iOS 7. In the meantime, iOS 6 and Mountain Lion users affected by this issue can use the workaround from our own Nick Arnott.

Any of you been bitten by this bug?

Source: The Register