backtop


Print 49 comment(s) - last by spaced_.. on Feb 12 at 3:50 AM

"It just works." --Apple

While Microsoft Corp. (MSFT) has received much admonishment for its various Windows bugs over the years, it is a dramatic new bug from the brash challenger of the the operating system world, Apple, Inc.'s (AAPL) OS X Mountain Lion (10.8.2), which has people talking.  The bug is startling simple, but it can crash almost any OS X app.  All you have to do is type a word and a few characters.

I. Universal Crashes

The forbidden word is "File:///" (case sensitive).  Type that in virtual any text input form (be it a notepad, a browser dialogue, a document editor, a calendar appointment, etc.) and the program will die.  It appears that similar strings ("fILE:///" or "FILE://aa") can also trigger program crahes.  In a bizarre twist, some crashes appear to be dependent on how fast you type certain variants (e.g. "File://" followed by characters).  An Open Radar user named "Jonathan" shares a movie he made documenting that bizarre behavior here.

Among the programs confirmed to be infected are Tweetbot, Safari, Chrome, and TextEdit.  The program appears to be tied somehow to some sort of deep-rooted API embedded into OS X (it appears not to be the spell-check API as the Safari location bar has no spell check, but is still affected).

In a particularly hilarious (or awful) failure, typing the problem string into Apple's Crash Reporter UI crashes the Crash Reporter.

Mountain Lion
Mountain Lion has a big bug. [Image Source: HD Wallpapers]

The bug does not affect OS X Lion (10.7) or Snow Leopard (10.6).

II. A Partial Fix?

A handful of apps, such as the image-editor Gimp, appear to be immune, perhaps because they disable whatever the trouble-making interface is.  Typing the string in these apps will produce no crash.

Some users suggest that going to System Preferences > Language & Text > Text, and unchecking "Correct spelling automatically" and "Use symbol and text substitution" will stop the crashes in some apps.  However, commenters say the apps continue in some programs even after doing that.

One loyal Apple user comments on the bug report:

This is actually a feature. It allows you to shut down all applications before shutting down your Mac:

Crashes Finder if typed into a Finder search field (not Spotlight, though). Crashes Safari if typed into the URL bar. Crashes Mail if typed into the search field. Crashes iTunes when typed into the search field. Crashes system-generated keychain unlock prompts (typed into the "Name:" field) Crashes Reminders if typed into the search field. ...

For now the bug is merely "interesting", but it also represents a potential security flaw.  If malicious users start to use it in forms-based attacks, it could become a major headache for OS X users.

Apple for years marketed its products under the slogan "It just works", but has been plagued with software issues of late.  Some blame Tim Cook, Apple's new CEO who replaced the late Steve Jobs, for the slipping quality.  Apple's iOS maps woes drew a large amount of national news coverage late last year.  Tim Cook publicly apologized to his company's fans for the poor showing.

Our Testing:

We confirmed that the bug crashes both Safari and Searchlight.  For us the Crash Reporter did not come up even:  

Searchlight is about to crash
...about to crash!

The shell/terminal program in OS X appears to be immune to the crashes:

Terminal OS X

We'll update if a patch lands.

Sources: "Jonathan", Open Radar



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

And that is why you sanitize your text input
By elleehswon on 2/4/2013 11:26:16 AM , Rating: 4
http://xkcd.com/327/

I'm not sure whether to laugh or facepalm that app developers(programmers(that's what they are, programmers)) skill sets are really going down the tubes and have since the introduction of object oriented programming languages. I blame java for starting this mess(even if the apps were written in some other language). The point being is that programmers, nowadays, are nothing more than google search bots with a very, very loose understanding of how a program works.




RE: And that is why you sanitize your text input
By daboom06 on 2/4/2013 12:21:14 PM , Rating: 5
it seems to me that the 'problem' of less skilled programmers is actually a feature of a beneficial trend, huge numbers of programmers. easy to use programming languages allow more people to write. it's a numbers game: we need as many people as possible to be able to contribute their creativity. if the number of skilled workers doesn't decrease, then why be angry that most of the new additions to this workforce are idiots? idiots have good ideas sometimes.


By NellyFromMA on 2/4/2013 3:08:58 PM , Rating: 2
LOL, yeah we should just revert back to writting ASSEMBLY. Cause, you know, less is more right?

-_-


By elleehswon on 2/4/2013 4:01:20 PM , Rating: 2
if every programmer knew assembly and C, i would imagine things like this would not happen.


By toyotabedzrock on 2/4/2013 8:16:31 PM , Rating: 3
Yes because we all know C is really safe for handling User input.


RE: And that is why you sanitize your text input
By ATrigo on 2/5/2013 12:20:47 AM , Rating: 3
Never trust user input regardless of the language.

C is like a gun. If you want to shoot yourself in the foot it will gladly do so.


RE: And that is why you sanitize your text input
By jak3676 on 2/5/2013 2:05:53 PM , Rating: 2
They need to switch to Virgil. Eternal moral vigilance is no laughing matter - especially when it comes to good code.

https://github.com/munificent/vigil


By vol7ron on 2/5/2013 8:33:47 PM , Rating: 2
You mean.... Vigil

Or did you mean: https://github.com/Lovesan/virgil


RE: And that is why you sanitize your text input
By B3an on 2/4/2013 3:26:27 PM , Rating: 2
Don't know why you two are even talking about app developers. This is to do with Apple not being able to make a stable OS and test things properly.

It's specific to Mountain Lion. All these apps will work without crashing on older versions of OSX when you type this same stuff. It seems to have something to do with the system wide spell checker in Mountain Lion.


By elleehswon on 2/4/2013 4:10:03 PM , Rating: 1
who do you think wrote the "spellchecker?" programmers did.


RE: And that is why you sanitize your text input
By kattanna on 2/4/2013 12:42:48 PM , Rating: 2
I personally think it has more to do with the separation of hiring from those who know what is needed. a couple of examples..

recently the company I work for hired an IOS developer for some project. When I got around to making him his email..the kid was clueless as to how to setup his iphone for email, REALLY??? needless to say, he isnt here anymore.

and more recently I hired a jr sys admin. OMFG.. going through the candidates was an eye opening experience. I haven't had to hire anyone in 14 years. I got tons of people who looked overly qualified for the job, until I got them in my test lab where most couldnt figure out how to get a MAC back onto the network, install a printer.. or setup email.

If I had listened to some HR persons recommendation I would have been stuck with an idiot, but since I took the matters into my own hands, I actually came across someone worth a crap..who is now kicking ass.


By Wererat on 2/4/2013 12:56:47 PM , Rating: 2
Bingo. As soon as HR realized they had no idea how to effectively screen IT talent, they implemented the system of buzzwords we know and loathe today.

So now, if you have immense talent and experience, but you haven't been lucky enough to use the exact tool and language the job post is for (and you're not into lying on your resume') you're SOL. With the magic acryonyms and no talent, you can flit about picking up experience (ruining projects with) the most current and highly-rewarded skillsets.

Reference calls are useless as you can ask so little, and besides the guy who's eager to be rid of a useless weasel will gladly tell you he'd be glad to hire him again. Anything as long as YOU take him of his hands.

People who can claim some tangential relationship to the desired skillset are in. As you noted, the only way to really screen them is to make them show you. We use testing and a type of interview that demands the candidate provide relevant examples from his past. These can be fact-checked and their breadth and depth tells me whether the candidate is worthy, hopeless, or a liar.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:21:33 PM , Rating: 2
Ding ding ding.

When I am hiring developers I go through three stages of "testing."

First, I bring in candidates and give them what is known as the "Fizz Buss Test." Google it if you're not familiar or are curious. About 80% of candidates fail here.

Second, I take them over to http://pex4fun.com/Page.aspx#learn/puzzles and give them a few puzzles to solve. Of the remaining 20% about 15-18% fail here. (This is a great site, btw, even for experienced developers. Fun.)

(I would like to pause here to say that these first two tests are things that an incoming junior in computer science should be able to accomplish without help from the internet, intellisense, or autocompletion.)

Once I've whittled the list down to about 5-6 candidates I ask them top solve a more complex problem on their own time (if they choose to). If you guys are curious I'll post the problem in a reply but it's not all that exciting.

Having to hire developers has taught me a few things. The first is that resumes, job history, work experience, and education are not good indicators of job performance. The second is that colleges are doing a horrible job of teaching developers how to actually write code. Most college grads I interview are "copy pasta" programmers who usually don't even know how to write a simple for loop. I can't tell you how many people I interviewed who had no idea what to do with Fizz Buzz. It's abysmal.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:28:53 PM , Rating: 3
I would like to add that I'll do versions of this test for whatever programming language the applicant chooses. Pex doesn't exist for other languages but there are alternatives. The first and third are completely universal. I hate companies that expect you to have the exact skill set required. It's impossible. If you can make it through these three steps I will gladly train you.


By martin5000 on 2/4/2013 2:34:55 PM , Rating: 2
Agree with all that, especially that grads don't know anything. Resumes, experience etc. may not be a good indicator, but neither is a puzzle on its own, you've got to look at the whole picture, which I'm sure you do.

Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.

You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 2:53:01 PM , Rating: 1
quote:
Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.


I don't just invite them in and throw a keyboard in front of them! ...but I have interviewed people who were extremely nervous and froze up. I try to talk with them about how they would solve the problem in theory and when they calm down enough have them give it another go. People get nervous, that's understandable and not something I would count against someone, but I do need to see/hear how they would solve a problem.

quote:
You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.


Hacking at it until you solve it (guess and check programming) isn't "solving" in my book. As for the thoughtful worries, same answer as above. I can usually tell.


By NellyFromMA on 2/4/2013 3:14:34 PM , Rating: 2
I agree with 99% of what you've written in various comments on this topic but I have to disagree with one thing. Sometimes its ok to solve a problem by working the otherside of the equation, that is as you describe it: Hacking at it.

A part of the job is this at times. Is it ideal, no. But more often than not, project conditions are not ideal, specifically time. Based on my experience anyways, all mileage varies.

Just my two.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 3:32:06 PM , Rating: 2
Ha. Sometimes it definitely is okay but not when the problem is as simple as Fizz Buzz! I enjoy talking with other developers on here and appreciate your comments/responses!


By spaced_ on 2/12/2013 3:44:18 AM , Rating: 2
...
print "1\n";
print "2\n";
print "Fizz\n";
print "4\n";
print "Buzz\n";
print "Fizz\n";
print "7\n";
...


RE: And that is why you sanitize your text input
By mik123 on 2/4/2013 3:33:04 PM , Rating: 2
I just looked up the "FizzBuzz" problem out of curiosity. I started learning programming 4 months ago. It took me 5 minutes to write the solution in C++. How could anyone who has ever taken a programming class not solve this, is beyond me.


By MrBungle123 on 2/5/2013 3:05:40 AM , Rating: 2
Some people just don't get it... I remember trying to help a college student with some C++ homework a few years back. I spent 3 hours trying to explain to him how to step through an array with a loop before finally giving up, I'm pretty sure he'd never solve that fizz buzz problem.


By Master Kenobi (blog) on 2/5/2013 5:48:10 PM , Rating: 2
It's a problem that requires you to be "creative" as you won't find code examples that do EXACTLY what the FizzBuzz test asks in any textbook. You might find ones that can tell you if W is a multiple of X or Y, but it won't get them to the W is a multiple of Z without tripping X or Y (X and Y are both multiples of Z).

The simple solution that most programmers out of school can't comprehend is to do the problem in reverse (The problem is deliberately given so that you ask to check for X then Y then Z). Check for it being a multiple of Z then X then Y (X and Y check order is of no consequence usually) and print the appropriate response to screen.

Writing code isn't hard, solving a real problem using programatic logic is. A basic grasp of mathematics is also required for this particular question and if you don't have that you can get out of IT/Programming now and save yourself a whole lot of embarassment.


RE: And that is why you sanitize your text input
By mik123 on 2/5/2013 8:56:05 PM , Rating: 2
I don't know which textbooks you're talking about, the one I use has plenty of challenging problems.
Last fall I took the very first 'introduction to programming' class for freshmen. On the exam, we had to code a particular method to find prime numbers within a range. Same type problem as "FizzBuzz", but a lot more complicated.
This quarter we're doing text processing exercises which strain my brain even more.

I just don't understand how could one get through freshman year in CS if he struggles with such trivial problems. If they require one to be "creative" then what I'm solving right now requires one to be "genius" (and I'm definitely not a genius, lol).


By Master Kenobi (blog) on 2/6/2013 12:00:09 AM , Rating: 2
quote:
On the exam, we had to code a particular method to find prime numbers within a range. Same type problem as "FizzBuzz", but a lot more complicated.

If you're having problems generating prime numbers in a range it isn't your programming that has a problem it is your mathematics. Prime numbers are easy to generate, the tricky part is doing it without a huge performance hit once you move into the really stupidly high number ranges. Again, there are formulas that can be implemented to handle it quite easily. If you aren't familiar with the Euler challenges for Python, I encourage you to look into it.

quote:
This quarter we're doing text processing exercises which strain my brain even more.

Not to rain on your parade here but text processing is extremely simplistic. I'm not sure why it remains one of the largest areas of weakness for programmers, but I'm betting it's because most of them stick with the C/C++ style disciplines and never move into areas like PL/SQL and other database types where processing huge amounts of text and other data is standard fare. The really good database programmers can write systems that chunk through terabytes of data like it's nothing.

As for what you are doing right now, it simply requires you to be better in mathematics and pattern analysis, the coding part is ALWAYS the easiest part of programming.

Personal disclaimer: I can't stand anyone writing code in "academia". Most Professors in college within the Computer Science field of study are no talent hacks that couldn't cut it in the real world. Academics produce code that is usually very neat to read, yet sets records for how slow, inefficient and unscalable software can be. I've not hired anyone fresh out of college in years and prefer not to. Experience in the field and the results of past projects/contracts speaks volumes.


By mik123 on 2/7/2013 1:44:55 PM , Rating: 2
For that particular problem with prime numbers we were given the exact algorithm how to do it (Sieve of Eratosthenes). The task was to implement it in C++. For me it was somewhat challenging, perhaps because I'm not yet used to thinking like a programmer. But even to someone as new as I am, the FizzBuzz problem looks almost trivial.

Thanks for the Project Euler suggestion, it's interesting - some problems look really easy, others I don't even know where to start. That site will keep me occupied for a while!

I don't understand your frustration with academia. Professors' job is to teach and direct research, not to crank out highly polished code. Academia provides an environment to investigate new ideas. Besides, computer scientist != software developer != good teacher. I think we need all 3 types of people.


RE: And that is why you sanitize your text input
By Ammohunt on 2/4/2013 2:50:57 PM , Rating: 2
It this a Developer issue or a QA issue? Programmers make mistakes period its QA's job to find the small detail bugs.


By bsd228 on 2/4/2013 5:14:07 PM , Rating: 2
> It this a Developer issue or a QA issue? Programmers make mistakes period its QA's job to find the small detail bugs.

For cowboy programming, maybe. Otherwise, it's the developer's job to write quality code, which includes code coverage testing. The QE person isn't solely responsible here.


By NellyFromMA on 2/4/2013 3:06:16 PM , Rating: 3
This issue isn't OO or your perceived lesser skillset. There are MANY bugs that originate from lower level languages present today.

The truth is that there simply are MANY MORE programmers than there used to be and many more users.

Simple odds tell you this will cause more bugs to surface. I'll never understand developer snobbery.

Everyone Google's fgor all their answers now, that isn't just a programmer work flow. Are you trying to allege you don't Google for answers? Ok, guess you can keep being the cool guy at the library?


By Master Kenobi (blog) on 2/5/2013 5:52:12 PM , Rating: 2
Code samples and collaboration on the 'net is normal. Sometimes it's simply a matter of asking the question "Is there a better way to do this because the way I'm trying to do it seems to be ineffecient?". Sometimes a few google searches will net you something you hadn't thought of, sometimes it will simply confirm that yea, there is no real good way to do it and you might need to accept the performance or go back further in the code and try to mitigate the performance hit sooner.


"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki