backtop


Print 49 comment(s) - last by spaced_.. on Feb 12 at 3:50 AM

"It just works." --Apple

While Microsoft Corp. (MSFT) has received much admonishment for its various Windows bugs over the years, it is a dramatic new bug from the brash challenger of the the operating system world, Apple, Inc.'s (AAPL) OS X Mountain Lion (10.8.2), which has people talking.  The bug is startling simple, but it can crash almost any OS X app.  All you have to do is type a word and a few characters.

I. Universal Crashes

The forbidden word is "File:///" (case sensitive).  Type that in virtual any text input form (be it a notepad, a browser dialogue, a document editor, a calendar appointment, etc.) and the program will die.  It appears that similar strings ("fILE:///" or "FILE://aa") can also trigger program crahes.  In a bizarre twist, some crashes appear to be dependent on how fast you type certain variants (e.g. "File://" followed by characters).  An Open Radar user named "Jonathan" shares a movie he made documenting that bizarre behavior here.

Among the programs confirmed to be infected are Tweetbot, Safari, Chrome, and TextEdit.  The program appears to be tied somehow to some sort of deep-rooted API embedded into OS X (it appears not to be the spell-check API as the Safari location bar has no spell check, but is still affected).

In a particularly hilarious (or awful) failure, typing the problem string into Apple's Crash Reporter UI crashes the Crash Reporter.

Mountain Lion
Mountain Lion has a big bug. [Image Source: HD Wallpapers]

The bug does not affect OS X Lion (10.7) or Snow Leopard (10.6).

II. A Partial Fix?

A handful of apps, such as the image-editor Gimp, appear to be immune, perhaps because they disable whatever the trouble-making interface is.  Typing the string in these apps will produce no crash.

Some users suggest that going to System Preferences > Language & Text > Text, and unchecking "Correct spelling automatically" and "Use symbol and text substitution" will stop the crashes in some apps.  However, commenters say the apps continue in some programs even after doing that.

One loyal Apple user comments on the bug report:

This is actually a feature. It allows you to shut down all applications before shutting down your Mac:

Crashes Finder if typed into a Finder search field (not Spotlight, though). Crashes Safari if typed into the URL bar. Crashes Mail if typed into the search field. Crashes iTunes when typed into the search field. Crashes system-generated keychain unlock prompts (typed into the "Name:" field) Crashes Reminders if typed into the search field. ...

For now the bug is merely "interesting", but it also represents a potential security flaw.  If malicious users start to use it in forms-based attacks, it could become a major headache for OS X users.

Apple for years marketed its products under the slogan "It just works", but has been plagued with software issues of late.  Some blame Tim Cook, Apple's new CEO who replaced the late Steve Jobs, for the slipping quality.  Apple's iOS maps woes drew a large amount of national news coverage late last year.  Tim Cook publicly apologized to his company's fans for the poor showing.

Our Testing:

We confirmed that the bug crashes both Safari and Searchlight.  For us the Crash Reporter did not come up even:  

Searchlight is about to crash
...about to crash!

The shell/terminal program in OS X appears to be immune to the crashes:

Terminal OS X

We'll update if a patch lands.

Sources: "Jonathan", Open Radar



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: And that is why you sanitize your text input
By tayb on 2/4/2013 1:28:53 PM , Rating: 3
I would like to add that I'll do versions of this test for whatever programming language the applicant chooses. Pex doesn't exist for other languages but there are alternatives. The first and third are completely universal. I hate companies that expect you to have the exact skill set required. It's impossible. If you can make it through these three steps I will gladly train you.


By martin5000 on 2/4/2013 2:34:55 PM , Rating: 2
Agree with all that, especially that grads don't know anything. Resumes, experience etc. may not be a good indicator, but neither is a puzzle on its own, you've got to look at the whole picture, which I'm sure you do.

Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.

You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 2:53:01 PM , Rating: 1
quote:
Also, a lot of people will freeze under pressure when you give them a simple task like that fizz buzz, and programming is rarely something you have to do under immediate pressure.


I don't just invite them in and throw a keyboard in front of them! ...but I have interviewed people who were extremely nervous and froze up. I try to talk with them about how they would solve the problem in theory and when they calm down enough have them give it another go. People get nervous, that's understandable and not something I would count against someone, but I do need to see/hear how they would solve a problem.

quote:
You could even argue that you are filtering in the reckless risk takers who don't give a shit if its wrong, and the thoughtful worriers who think you've given them some kind of trick question (I would, it's so easy it must be a trick...) will stumble.


Hacking at it until you solve it (guess and check programming) isn't "solving" in my book. As for the thoughtful worries, same answer as above. I can usually tell.


By NellyFromMA on 2/4/2013 3:14:34 PM , Rating: 2
I agree with 99% of what you've written in various comments on this topic but I have to disagree with one thing. Sometimes its ok to solve a problem by working the otherside of the equation, that is as you describe it: Hacking at it.

A part of the job is this at times. Is it ideal, no. But more often than not, project conditions are not ideal, specifically time. Based on my experience anyways, all mileage varies.

Just my two.


RE: And that is why you sanitize your text input
By tayb on 2/4/2013 3:32:06 PM , Rating: 2
Ha. Sometimes it definitely is okay but not when the problem is as simple as Fizz Buzz! I enjoy talking with other developers on here and appreciate your comments/responses!


By spaced_ on 2/12/2013 3:44:18 AM , Rating: 2
...
print "1\n";
print "2\n";
print "Fizz\n";
print "4\n";
print "Buzz\n";
print "Fizz\n";
print "7\n";
...


"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki