A fix for the ChaiOS bug that lets pranksters freeze iPhones, iPads and Macs by sending a maliciously crafted link as an attachment in a text or iMessage will be delivered next week.
That’s according to an Apple spokesperson who confirmed in a statement Thursday to Buzzfeed News that a fix for this stupid vulnerability “is coming in a software update next week.” As we told you earlier this morning, iOS 11.2.5 beta 6, which was released to developers two days ago, appears to have addressed this annoying vulnerability.
In other words, expect the iOS 11.2.5 and macOS High Sierra 10.13.3 software updates containing a fix for this issue to be pushed to users as early as next week.
iOS developer Abraham Masri highlighted the bug Tuesday afternoon by tweeting a link to the offending attachment, which leads to a GitHub page. Visiting that link in Safari or receiving it as an attachment in an SMS/MMS or iMessage can cause the app to freeze or break.
Even getting a notification on the Lock screen can cause a freeze for a bit.
The bug requires no action from you to do damage. It affects iOS versions 10.0 through 11.2.5 beta 5, as well as computers running macOS, and works by overloading Messages with several megabytes of Unicode text consisting mostly of cascading accent marks.
Github has since removed the offending webpage from their servers. They initially suspended Masri’s account, then restored it a few hours later.
“My intention is not to do bad things,” Masri said.
No, I'm not going to re-upload it. I made my point. Apple needs to take such bugs more seriously.
— Abraham Masri (@cheesecakeufo) January 17, 2018
“My main purpose was to reach out to Apple and say, ‘Hey, you’ve been ignoring my bug reports.’ I always report the bug before releasing something.”
He says chaiOS is not the first bug he’s alerted Apple about:
One time, I reported a bug that disables your phone’s display—being able to disable a phone’s display should not be possible. It works on the latest version of iOS and after I sent it to Apple, they said they don’t consider it an issue.
However, the malicious ChaiOS code has already been reuploaded elsewhere.
As a temporary fix, go to Settings → General → Restrictions, then tap Websites underneath the Allowed Content heading. From there, tap Limit Adult Content and add “GitHub.io” along with any other domains known to host this maliciously crafted code to your Never Allow list.