Print 49 comment(s) - last by spaced_.. on Feb 12 at 3:50 AM

"It just works." --Apple

While Microsoft Corp. (MSFT) has received much admonishment for its various Windows bugs over the years, it is a dramatic new bug from the brash challenger of the the operating system world, Apple, Inc.'s (AAPL) OS X Mountain Lion (10.8.2), which has people talking.  The bug is startling simple, but it can crash almost any OS X app.  All you have to do is type a word and a few characters.

I. Universal Crashes

The forbidden word is "File:///" (case sensitive).  Type that in virtual any text input form (be it a notepad, a browser dialogue, a document editor, a calendar appointment, etc.) and the program will die.  It appears that similar strings ("fILE:///" or "FILE://aa") can also trigger program crahes.  In a bizarre twist, some crashes appear to be dependent on how fast you type certain variants (e.g. "File://" followed by characters).  An Open Radar user named "Jonathan" shares a movie he made documenting that bizarre behavior here.

Among the programs confirmed to be infected are Tweetbot, Safari, Chrome, and TextEdit.  The program appears to be tied somehow to some sort of deep-rooted API embedded into OS X (it appears not to be the spell-check API as the Safari location bar has no spell check, but is still affected).

In a particularly hilarious (or awful) failure, typing the problem string into Apple's Crash Reporter UI crashes the Crash Reporter.

Mountain Lion
Mountain Lion has a big bug. [Image Source: HD Wallpapers]

The bug does not affect OS X Lion (10.7) or Snow Leopard (10.6).

II. A Partial Fix?

A handful of apps, such as the image-editor Gimp, appear to be immune, perhaps because they disable whatever the trouble-making interface is.  Typing the string in these apps will produce no crash.

Some users suggest that going to System Preferences > Language & Text > Text, and unchecking "Correct spelling automatically" and "Use symbol and text substitution" will stop the crashes in some apps.  However, commenters say the apps continue in some programs even after doing that.

One loyal Apple user comments on the bug report:

This is actually a feature. It allows you to shut down all applications before shutting down your Mac:

Crashes Finder if typed into a Finder search field (not Spotlight, though). Crashes Safari if typed into the URL bar. Crashes Mail if typed into the search field. Crashes iTunes when typed into the search field. Crashes system-generated keychain unlock prompts (typed into the "Name:" field) Crashes Reminders if typed into the search field. ...

For now the bug is merely "interesting", but it also represents a potential security flaw.  If malicious users start to use it in forms-based attacks, it could become a major headache for OS X users.

Apple for years marketed its products under the slogan "It just works", but has been plagued with software issues of late.  Some blame Tim Cook, Apple's new CEO who replaced the late Steve Jobs, for the slipping quality.  Apple's iOS maps woes drew a large amount of national news coverage late last year.  Tim Cook publicly apologized to his company's fans for the poor showing.

Our Testing:

We confirmed that the bug crashes both Safari and Searchlight.  For us the Crash Reporter did not come up even:  

Searchlight is about to crash
...about to crash!

The shell/terminal program in OS X appears to be immune to the crashes:

Terminal OS X

We'll update if a patch lands.

Sources: "Jonathan", Open Radar

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

And that is why you sanitize your text input
By elleehswon on 2/4/2013 11:26:16 AM , Rating: 4

I'm not sure whether to laugh or facepalm that app developers(programmers(that's what they are, programmers)) skill sets are really going down the tubes and have since the introduction of object oriented programming languages. I blame java for starting this mess(even if the apps were written in some other language). The point being is that programmers, nowadays, are nothing more than google search bots with a very, very loose understanding of how a program works.

RE: And that is why you sanitize your text input
By daboom06 on 2/4/2013 12:21:14 PM , Rating: 5
it seems to me that the 'problem' of less skilled programmers is actually a feature of a beneficial trend, huge numbers of programmers. easy to use programming languages allow more people to write. it's a numbers game: we need as many people as possible to be able to contribute their creativity. if the number of skilled workers doesn't decrease, then why be angry that most of the new additions to this workforce are idiots? idiots have good ideas sometimes.

By NellyFromMA on 2/4/2013 3:08:58 PM , Rating: 2
LOL, yeah we should just revert back to writting ASSEMBLY. Cause, you know, less is more right?


By elleehswon on 2/4/2013 4:01:20 PM , Rating: 2
if every programmer knew assembly and C, i would imagine things like this would not happen.

By toyotabedzrock on 2/4/2013 8:16:31 PM , Rating: 3
Yes because we all know C is really safe for handling User input.

RE: And that is why you sanitize your text input
By ATrigo on 2/5/2013 12:20:47 AM , Rating: 3
Never trust user input regardless of the language.

C is like a gun. If you want to shoot yourself in the foot it will gladly do so.

RE: And that is why you sanitize your text input
By jak3676 on 2/5/2013 2:05:53 PM , Rating: 2
They need to switch to Virgil. Eternal moral vigilance is no laughing matter - especially when it comes to good code.

By vol7ron on 2/5/2013 8:33:47 PM , Rating: 2
You mean.... Vigil

Or did you mean:

RE: And that is why you sanitize your text input
By B3an on 2/4/2013 3:26:27 PM , Rating: 2
Don't know why you two are even talking about app developers. This is to do with Apple not being able to make a stable OS and test things properly.

It's specific to Mountain Lion. All these apps will work without crashing on older versions of OSX when you type this same stuff. It seems to have something to do with the system wide spell checker in Mountain Lion.

By elleehswon on 2/4/2013 4:10:03 PM , Rating: 1
who do you think wrote the "spellchecker?" programmers did.

RE: And that is why you sanitize your text input
By kattanna on 2/4/2013 12:42:48 PM , Rating: 2
I personally think it has more to do with the separation of hiring from those who know what is needed. a couple of examples..

recently the company I work for hired an IOS developer for some project. When I got around to making him his email..the kid was clueless as to how to setup his iphone for email, REALLY??? needless to say, he isnt here anymore.

and more recently I hired a jr sys admin. OMFG.. going through the candidates was an eye opening experience. I haven't had to hire anyone in 14 years. I got tons of people who looked overly qualified for the job, until I got them in my test lab where most couldnt figure out how to get a MAC back onto the network, install a printer.. or setup email.

If I had listened to some HR persons recommendation I would have been stuck with an idiot, but since I took the matters into my own hands, I actually came across someone worth a crap..who is now kicking ass.

By Wererat on 2/4/2013 12:56:47 PM , Rating: 2
Bingo. As soon as HR realized they had no idea how to effectively screen IT talent, they implemented the system of buzzwords we know and loathe today.

So now, if you have immense talent and experience, but you haven't been lucky enough to use the exact tool and language the job post is for (and you're not into lying on your resume') you're SOL. With the magic acryonyms and no talent, you can flit about picking up experience (ruining projects with) the most current and highly-rewarded skillsets.

Reference calls are useless as you can ask so little, and besides the guy who's eager to be rid of a useless weasel will gladly tell you he'd be glad to hire him again. Anything as long as YOU take him of his hands.

People who can claim some tangential relationship to the desired skillset are in. As you noted, the only way to really screen them is to make them show you. We use testing and a type of interview that demands the candidate provide relevant examples from his past. These can be fact-checked and their breadth and depth tells me whether the candidate is worthy, hopeless, or a liar.

RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:21:33 PM , Rating: 2
Ding ding ding.

When I am hiring developers I go through three stages of "testing."

First, I bring in candidates and give them what is known as the "Fizz Buss Test." Google it if you're not familiar or are curious. About 80% of candidates fail here.

Second, I take them over to and give them a few puzzles to solve. Of the remaining 20% about 15-18% fail here. (This is a great site, btw, even for experienced developers. Fun.)

(I would like to pause here to say that these first two tests are things that an incoming junior in computer science should be able to accomplish without help from the internet, intellisense, or autocompletion.)

Once I've whittled the list down to about 5-6 candidates I ask them top solve a more complex problem on their own time (if they choose to). If you guys are curious I'll post the problem in a reply but it's not all that exciting.

Having to hire developers has taught me a few things. The first is that resumes, job history, work experience, and education are not good indicators of job performance. The second is that colleges are doing a horrible job of teaching developers how to actually write code. Most college grads I interview are "copy pasta" programmers who usually don't even know how to write a simple for loop. I can't tell you how many people I interviewed who had no idea what to do with Fizz Buzz. It's abysmal.

RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:28:53 PM , Rating: 3
I would like to add that I'll do versions of this test for whatever programming language the applicant chooses. Pex doesn't exist for other languages but there are alternatives. The first and third are completely universal. I hate companies that expect you to have the exact skill set required. It's impossible. If you can make it through these three steps I will gladly train you.

By martin5000 on 2/4/2013 2:34:55 PM , Rating: 2
Agree with all that, especially that grads don't know anything. Resumes, experience etc. may not be a good indicator, but neither is a puzzle on its own, you've got to look at the whole picture, which I'm sure you do.

Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.

You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.

RE: And that is why you sanitize your text input
By tayb on 2/4/2013 2:53:01 PM , Rating: 1
Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.

I don't just invite them in and throw a keyboard in front of them! ...but I have interviewed people who were extremely nervous and froze up. I try to talk with them about how they would solve the problem in theory and when they calm down enough have them give it another go. People get nervous, that's understandable and not something I would count against someone, but I do need to see/hear how they would solve a problem.

You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.

Hacking at it until you solve it (guess and check programming) isn't "solving" in my book. As for the thoughtful worries, same answer as above. I can usually tell.

By NellyFromMA on 2/4/2013 3:14:34 PM , Rating: 2
I agree with 99% of what you've written in various comments on this topic but I have to disagree with one thing. Sometimes its ok to solve a problem by working the otherside of the equation, that is as you describe it: Hacking at it.

A part of the job is this at times. Is it ideal, no. But more often than not, project conditions are not ideal, specifically time. Based on my experience anyways, all mileage varies.

Just my two.

RE: And that is why you sanitize your text input
By tayb on 2/4/2013 3:32:06 PM , Rating: 2
Ha. Sometimes it definitely is okay but not when the problem is as simple as Fizz Buzz! I enjoy talking with other developers on here and appreciate your comments/responses!

By spaced_ on 2/12/2013 3:44:18 AM , Rating: 2
print "1\n";
print "2\n";
print "Fizz\n";
print "4\n";
print "Buzz\n";
print "Fizz\n";
print "7\n";

RE: And that is why you sanitize your text input
By mik123 on 2/4/2013 3:33:04 PM , Rating: 2
I just looked up the "FizzBuzz" problem out of curiosity. I started learning programming 4 months ago. It took me 5 minutes to write the solution in C++. How could anyone who has ever taken a programming class not solve this, is beyond me.

By MrBungle123 on 2/5/2013 3:05:40 AM , Rating: 2
Some people just don't get it... I remember trying to help a college student with some C++ homework a few years back. I spent 3 hours trying to explain to him how to step through an array with a loop before finally giving up, I'm pretty sure he'd never solve that fizz buzz problem.

By Master Kenobi on 2/5/2013 5:48:10 PM , Rating: 2
It's a problem that requires you to be "creative" as you won't find code examples that do EXACTLY what the FizzBuzz test asks in any textbook. You might find ones that can tell you if W is a multiple of X or Y, but it won't get them to the W is a multiple of Z without tripping X or Y (X and Y are both multiples of Z).

The simple solution that most programmers out of school can't comprehend is to do the problem in reverse (The problem is deliberately given so that you ask to check for X then Y then Z). Check for it being a multiple of Z then X then Y (X and Y check order is of no consequence usually) and print the appropriate response to screen.

Writing code isn't hard, solving a real problem using programatic logic is. A basic grasp of mathematics is also required for this particular question and if you don't have that you can get out of IT/Programming now and save yourself a whole lot of embarassment.

RE: And that is why you sanitize your text input
By mik123 on 2/5/2013 8:56:05 PM , Rating: 2
I don't know which textbooks you're talking about, the one I use has plenty of challenging problems.
Last fall I took the very first 'introduction to programming' class for freshmen. On the exam, we had to code a particular method to find prime numbers within a range. Same type problem as "FizzBuzz", but a lot more complicated.
This quarter we're doing text processing exercises which strain my brain even more.

I just don't understand how could one get through freshman year in CS if he struggles with such trivial problems. If they require one to be "creative" then what I'm solving right now requires one to be "genius" (and I'm definitely not a genius, lol).

By Master Kenobi on 2/6/2013 12:00:09 AM , Rating: 2
On the exam, we had to code a particular method to find prime numbers within a range. Same type problem as "FizzBuzz", but a lot more complicated.

If you're having problems generating prime numbers in a range it isn't your programming that has a problem it is your mathematics. Prime numbers are easy to generate, the tricky part is doing it without a huge performance hit once you move into the really stupidly high number ranges. Again, there are formulas that can be implemented to handle it quite easily. If you aren't familiar with the Euler challenges for Python, I encourage you to look into it.

This quarter we're doing text processing exercises which strain my brain even more.

Not to rain on your parade here but text processing is extremely simplistic. I'm not sure why it remains one of the largest areas of weakness for programmers, but I'm betting it's because most of them stick with the C/C++ style disciplines and never move into areas like PL/SQL and other database types where processing huge amounts of text and other data is standard fare. The really good database programmers can write systems that chunk through terabytes of data like it's nothing.

As for what you are doing right now, it simply requires you to be better in mathematics and pattern analysis, the coding part is ALWAYS the easiest part of programming.

Personal disclaimer: I can't stand anyone writing code in "academia". Most Professors in college within the Computer Science field of study are no talent hacks that couldn't cut it in the real world. Academics produce code that is usually very neat to read, yet sets records for how slow, inefficient and unscalable software can be. I've not hired anyone fresh out of college in years and prefer not to. Experience in the field and the results of past projects/contracts speaks volumes.

By mik123 on 2/7/2013 1:44:55 PM , Rating: 2
For that particular problem with prime numbers we were given the exact algorithm how to do it (Sieve of Eratosthenes). The task was to implement it in C++. For me it was somewhat challenging, perhaps because I'm not yet used to thinking like a programmer. But even to someone as new as I am, the FizzBuzz problem looks almost trivial.

Thanks for the Project Euler suggestion, it's interesting - some problems look really easy, others I don't even know where to start. That site will keep me occupied for a while!

I don't understand your frustration with academia. Professors' job is to teach and direct research, not to crank out highly polished code. Academia provides an environment to investigate new ideas. Besides, computer scientist != software developer != good teacher. I think we need all 3 types of people.

RE: And that is why you sanitize your text input
By Ammohunt on 2/4/2013 2:50:57 PM , Rating: 2
It this a Developer issue or a QA issue? Programmers make mistakes period its QA's job to find the small detail bugs.

By bsd228 on 2/4/2013 5:14:07 PM , Rating: 2
> It this a Developer issue or a QA issue? Programmers make mistakes period its QA's job to find the small detail bugs.

For cowboy programming, maybe. Otherwise, it's the developer's job to write quality code, which includes code coverage testing. The QE person isn't solely responsible here.

By NellyFromMA on 2/4/2013 3:06:16 PM , Rating: 3
This issue isn't OO or your perceived lesser skillset. There are MANY bugs that originate from lower level languages present today.

The truth is that there simply are MANY MORE programmers than there used to be and many more users.

Simple odds tell you this will cause more bugs to surface. I'll never understand developer snobbery.

Everyone Google's fgor all their answers now, that isn't just a programmer work flow. Are you trying to allege you don't Google for answers? Ok, guess you can keep being the cool guy at the library?

By Master Kenobi on 2/5/2013 5:52:12 PM , Rating: 2
Code samples and collaboration on the 'net is normal. Sometimes it's simply a matter of asking the question "Is there a better way to do this because the way I'm trying to do it seems to be ineffecient?". Sometimes a few google searches will net you something you hadn't thought of, sometimes it will simply confirm that yea, there is no real good way to do it and you might need to accept the performance or go back further in the code and try to mitigate the performance hit sooner.

Bugs happen...
By retrospooty on 2/4/2013 11:19:30 AM , Rating: 2
So long as when found they fix it, its not an issue.

RE: Bugs happen...
By xenol on 2/4/2013 11:27:07 AM , Rating: 2
Fixable or not, bugs that cause crashes are bad PR regardless. And if its simple to reproduce but has a huge impact, this is nothing short of embarrassment on the software developers.

RE: Bugs happen...
By retrospooty on 2/4/2013 11:28:56 AM , Rating: 2
Agreed, it is bad PR especially for a company that smugly acts as if their sHit dont stink, but this isn't simple to reproduce by mistake. Its not like your hand slips and you type File:/// by mistake.

RE: Bugs happen...
By Rukkian on 2/4/2013 2:56:49 PM , Rating: 3
Unfortunately, they will deny it is actually a problem (as usual) and the idiot masses (their key demographic) will still flock to them cause there is nothing wrong.

By chalupa on 2/4/2013 11:13:57 AM , Rating: 3
"One loyal Apple user comments on the bug report:"... Steve is that you?

RE: really?
By gibb3h on 2/4/2013 11:19:08 AM , Rating: 5

That's a funny one
By tayb on 2/4/2013 11:25:55 AM , Rating: 2
That's a pretty funny bug, honestly. It's a pretty minor bug if you think about it, I can't imagine how often File:/// (shit, I just crashed my browser!!) is typed. Hilarious that it breaks almost anywhere it is typed.

Hey, it IS a quick and easy way to kill your apps! Command + Q is so yesterday.

RE: That's a funny one
By Alexvrb on 2/5/2013 4:09:03 AM , Rating: 2
I'd forgive them entirely if the secret word was "Elbereth". Wards off hostile apps!

By xti on 2/4/2013 11:29:41 AM , Rating: 2
I think we should do a community service and warn all mac users.

I will take the first 10...who wants to take the other 10?

RE: heh...
By retrospooty on 2/4/2013 12:12:48 PM , Rating: 2
I am pretty sure its only 9... They just stopped shipping the Mac pro in europe, so that rules that one guy out. ;)

If Mick had his way...
By Newspapercrane on 2/5/2013 11:59:50 AM , Rating: 3
If Mick had his way we'd have to type this as a Capcha before posting any comments on DT.

By Strike5150 on 2/5/2013 1:23:32 PM , Rating: 2
The blindingly obvious answer to your silly question is..... dun dun. Programs today are WAAAYYY more complex then assembly. Assembly is tricky and slimy and sometimes hard to understand, but these OO MONSTERS out there are rediculously huge and hard to comprehend in totality. Therefore moar bugs. This for me is the number one issue, ofcourse larger programmer base and number of people working the projects is also to blame.

I've coded on both sides of this equation and assembly/low level c is in many ways more reliable. Once it works it tends to keep on working.

By NicholeGibbs22 on 2/6/2013 4:43:27 PM , Rating: 2
If you think Alfred`s story is impossible..., one week ago my uncles best friend also made $4094 grafting 20 hour's a week from their apartment and there roomate's sister-in-law`s neighbour done this for 8-months and recieved a check for over $4094 in there spare time online. use the guide from this website, Great60.comTAKE A LOOK

By JasmineGibbs22 on 2/7/2013 6:59:46 PM , Rating: 2
Ella. you think Pauline`s blog is terrific... last friday I got a great Aston Martin DB5 from earning $5565 this last 5 weeks an would you believe ten grand this past month. it's certainly my favourite work I have ever done. I actually started four months/ago and almost straight away started making a cool minimum $86 per/hr. I follow the details on this straightforward website, Fox76.comCHECK IT OUT

It's not a bug
By ians55 on 2/4/2013 1:03:57 PM , Rating: 1
You just typing it wrong :)

Are you sure?
By Beenthere on 2/4/13, Rating: -1
RE: Are you sure?
By Cheesew1z69 on 2/4/2013 12:46:57 PM , Rating: 5
I think the word is actually "youareatool"..

RE: Are you sure?
By nikon133 on 2/4/2013 2:50:58 PM , Rating: 3

He is actually right. Windows is crashing OSX. Always did.

RE: Are you sure?
By kleinma on 2/4/2013 2:57:21 PM , Rating: 2
Well it is good to see we still have intelligent, well thought out comments being posted here. I was getting worried for a few, but you came by and put all those fears at ease with your insightful framing of the situation.

RE: Are you sure?
By spaced_ on 2/12/2013 3:50:58 AM , Rating: 2
Hear, hear.

A masterfully presented and insightful reflection on the topic at hand.

"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki