backtop


Print 49 comment(s) - last by spaced_.. on Feb 12 at 3:50 AM

"It just works." --Apple

While Microsoft Corp. (MSFT) has received much admonishment for its various Windows bugs over the years, it is a dramatic new bug from the brash challenger of the the operating system world, Apple, Inc.'s (AAPL) OS X Mountain Lion (10.8.2), which has people talking.  The bug is startling simple, but it can crash almost any OS X app.  All you have to do is type a word and a few characters.

I. Universal Crashes

The forbidden word is "File:///" (case sensitive).  Type that in virtual any text input form (be it a notepad, a browser dialogue, a document editor, a calendar appointment, etc.) and the program will die.  It appears that similar strings ("fILE:///" or "FILE://aa") can also trigger program crahes.  In a bizarre twist, some crashes appear to be dependent on how fast you type certain variants (e.g. "File://" followed by characters).  An Open Radar user named "Jonathan" shares a movie he made documenting that bizarre behavior here.

Among the programs confirmed to be infected are Tweetbot, Safari, Chrome, and TextEdit.  The program appears to be tied somehow to some sort of deep-rooted API embedded into OS X (it appears not to be the spell-check API as the Safari location bar has no spell check, but is still affected).

In a particularly hilarious (or awful) failure, typing the problem string into Apple's Crash Reporter UI crashes the Crash Reporter.

Mountain Lion
Mountain Lion has a big bug. [Image Source: HD Wallpapers]

The bug does not affect OS X Lion (10.7) or Snow Leopard (10.6).

II. A Partial Fix?

A handful of apps, such as the image-editor Gimp, appear to be immune, perhaps because they disable whatever the trouble-making interface is.  Typing the string in these apps will produce no crash.

Some users suggest that going to System Preferences > Language & Text > Text, and unchecking "Correct spelling automatically" and "Use symbol and text substitution" will stop the crashes in some apps.  However, commenters say the apps continue in some programs even after doing that.

One loyal Apple user comments on the bug report:

This is actually a feature. It allows you to shut down all applications before shutting down your Mac:

Crashes Finder if typed into a Finder search field (not Spotlight, though). Crashes Safari if typed into the URL bar. Crashes Mail if typed into the search field. Crashes iTunes when typed into the search field. Crashes system-generated keychain unlock prompts (typed into the "Name:" field) Crashes Reminders if typed into the search field. ...

For now the bug is merely "interesting", but it also represents a potential security flaw.  If malicious users start to use it in forms-based attacks, it could become a major headache for OS X users.

Apple for years marketed its products under the slogan "It just works", but has been plagued with software issues of late.  Some blame Tim Cook, Apple's new CEO who replaced the late Steve Jobs, for the slipping quality.  Apple's iOS maps woes drew a large amount of national news coverage late last year.  Tim Cook publicly apologized to his company's fans for the poor showing.

Our Testing:

We confirmed that the bug crashes both Safari and Searchlight.  For us the Crash Reporter did not come up even:  

Searchlight is about to crash
...about to crash!

The shell/terminal program in OS X appears to be immune to the crashes:

Terminal OS X

We'll update if a patch lands.

Sources: "Jonathan", Open Radar



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:21:33 PM , Rating: 2
Ding ding ding.

When I am hiring developers I go through three stages of "testing."

First, I bring in candidates and give them what is known as the "Fizz Buss Test." Google it if you're not familiar or are curious. About 80% of candidates fail here.

Second, I take them over to http://pex4fun.com/Page.aspx#learn/puzzles and give them a few puzzles to solve. Of the remaining 20% about 15-18% fail here. (This is a great site, btw, even for experienced developers. Fun.)

(I would like to pause here to say that these first two tests are things that an incoming junior in computer science should be able to accomplish without help from the internet, intellisense, or autocompletion.)

Once I've whittled the list down to about 5-6 candidates I ask them top solve a more complex problem on their own time (if they choose to). If you guys are curious I'll post the problem in a reply but it's not all that exciting.

Having to hire developers has taught me a few things. The first is that resumes, job history, work experience, and education are not good indicators of job performance. The second is that colleges are doing a horrible job of teaching developers how to actually write code. Most college grads I interview are "copy pasta" programmers who usually don't even know how to write a simple for loop. I can't tell you how many people I interviewed who had no idea what to do with Fizz Buzz. It's abysmal.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:28:53 PM , Rating: 3
I would like to add that I'll do versions of this test for whatever programming language the applicant chooses. Pex doesn't exist for other languages but there are alternatives. The first and third are completely universal. I hate companies that expect you to have the exact skill set required. It's impossible. If you can make it through these three steps I will gladly train you.


By martin5000 on 2/4/2013 2:34:55 PM , Rating: 2
Agree with all that, especially that grads don't know anything. Resumes, experience etc. may not be a good indicator, but neither is a puzzle on its own, you've got to look at the whole picture, which I'm sure you do.

Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.

You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 2:53:01 PM , Rating: 1
quote:
Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.


I don't just invite them in and throw a keyboard in front of them! ...but I have interviewed people who were extremely nervous and froze up. I try to talk with them about how they would solve the problem in theory and when they calm down enough have them give it another go. People get nervous, that's understandable and not something I would count against someone, but I do need to see/hear how they would solve a problem.

quote:
You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.


Hacking at it until you solve it (guess and check programming) isn't "solving" in my book. As for the thoughtful worries, same answer as above. I can usually tell.


By NellyFromMA on 2/4/2013 3:14:34 PM , Rating: 2
I agree with 99% of what you've written in various comments on this topic but I have to disagree with one thing. Sometimes its ok to solve a problem by working the otherside of the equation, that is as you describe it: Hacking at it.

A part of the job is this at times. Is it ideal, no. But more often than not, project conditions are not ideal, specifically time. Based on my experience anyways, all mileage varies.

Just my two.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 3:32:06 PM , Rating: 2
Ha. Sometimes it definitely is okay but not when the problem is as simple as Fizz Buzz! I enjoy talking with other developers on here and appreciate your comments/responses!


By spaced_ on 2/12/2013 3:44:18 AM , Rating: 2
...
print "1\n";
print "2\n";
print "Fizz\n";
print "4\n";
print "Buzz\n";
print "Fizz\n";
print "7\n";
...


RE: And that is why you sanitize your text input
By mik123 on 2/4/2013 3:33:04 PM , Rating: 2
I just looked up the "FizzBuzz" problem out of curiosity. I started learning programming 4 months ago. It took me 5 minutes to write the solution in C++. How could anyone who has ever taken a programming class not solve this, is beyond me.


By MrBungle123 on 2/5/2013 3:05:40 AM , Rating: 2
Some people just don't get it... I remember trying to help a college student with some C++ homework a few years back. I spent 3 hours trying to explain to him how to step through an array with a loop before finally giving up, I'm pretty sure he'd never solve that fizz buzz problem.


By Master Kenobi (blog) on 2/5/2013 5:48:10 PM , Rating: 2
It's a problem that requires you to be "creative" as you won't find code examples that do EXACTLY what the FizzBuzz test asks in any textbook. You might find ones that can tell you if W is a multiple of X or Y, but it won't get them to the W is a multiple of Z without tripping X or Y (X and Y are both multiples of Z).

The simple solution that most programmers out of school can't comprehend is to do the problem in reverse (The problem is deliberately given so that you ask to check for X then Y then Z). Check for it being a multiple of Z then X then Y (X and Y check order is of no consequence usually) and print the appropriate response to screen.

Writing code isn't hard, solving a real problem using programatic logic is. A basic grasp of mathematics is also required for this particular question and if you don't have that you can get out of IT/Programming now and save yourself a whole lot of embarassment.


RE: And that is why you sanitize your text input
By mik123 on 2/5/2013 8:56:05 PM , Rating: 2
I don't know which textbooks you're talking about, the one I use has plenty of challenging problems.
Last fall I took the very first 'introduction to programming' class for freshmen. On the exam, we had to code a particular method to find prime numbers within a range. Same type problem as "FizzBuzz", but a lot more complicated.
This quarter we're doing text processing exercises which strain my brain even more.

I just don't understand how could one get through freshman year in CS if he struggles with such trivial problems. If they require one to be "creative" then what I'm solving right now requires one to be "genius" (and I'm definitely not a genius, lol).


By Master Kenobi (blog) on 2/6/2013 12:00:09 AM , Rating: 2
quote:
On the exam, we had to code a particular method to find prime numbers within a range. Same type problem as "FizzBuzz", but a lot more complicated.

If you're having problems generating prime numbers in a range it isn't your programming that has a problem it is your mathematics. Prime numbers are easy to generate, the tricky part is doing it without a huge performance hit once you move into the really stupidly high number ranges. Again, there are formulas that can be implemented to handle it quite easily. If you aren't familiar with the Euler challenges for Python, I encourage you to look into it.

quote:
This quarter we're doing text processing exercises which strain my brain even more.

Not to rain on your parade here but text processing is extremely simplistic. I'm not sure why it remains one of the largest areas of weakness for programmers, but I'm betting it's because most of them stick with the C/C++ style disciplines and never move into areas like PL/SQL and other database types where processing huge amounts of text and other data is standard fare. The really good database programmers can write systems that chunk through terabytes of data like it's nothing.

As for what you are doing right now, it simply requires you to be better in mathematics and pattern analysis, the coding part is ALWAYS the easiest part of programming.

Personal disclaimer: I can't stand anyone writing code in "academia". Most Professors in college within the Computer Science field of study are no talent hacks that couldn't cut it in the real world. Academics produce code that is usually very neat to read, yet sets records for how slow, inefficient and unscalable software can be. I've not hired anyone fresh out of college in years and prefer not to. Experience in the field and the results of past projects/contracts speaks volumes.


By mik123 on 2/7/2013 1:44:55 PM , Rating: 2
For that particular problem with prime numbers we were given the exact algorithm how to do it (Sieve of Eratosthenes). The task was to implement it in C++. For me it was somewhat challenging, perhaps because I'm not yet used to thinking like a programmer. But even to someone as new as I am, the FizzBuzz problem looks almost trivial.

Thanks for the Project Euler suggestion, it's interesting - some problems look really easy, others I don't even know where to start. That site will keep me occupied for a while!

I don't understand your frustration with academia. Professors' job is to teach and direct research, not to crank out highly polished code. Academia provides an environment to investigate new ideas. Besides, computer scientist != software developer != good teacher. I think we need all 3 types of people.


"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki