URL detection flaw causes OS X apps to crash

Over the weekend, reports of a rather curious OS X bug were reported with a mixture of amusement and surprise. Affecting only recent versions of Mountain Lion--including, according to some reports, as-yet unreleased betas of the operating system--the bug manifests itself in the form of a crash every time you type File:/// (with an uppercase F) inside most standard text input controls like those you can find in a Web form or in text editors like TextEdit.

Bugs are nothing new, of course, but this one is particularly interesting because it affects almost every app that uses OS X's standard text-input mechanisms. Luckily, it's a relatively minor issue that occurs only rarely in real-life use, and can be easily addressed by a few mouse clicks in the right System Preferences pane.

What's happening?

Recent versions of OS X include a feature, called data detectors, which allows apps to automatically recognize certain kinds of information when it appears in a piece of text. You can see it at work whenever Mail detects that a message you have received contains an address or a phone number and allows you to, for example, create an entry in the Contacts app at the click of a mouse.

One of the jobs entrusted to the detectors is that of recognizing Internet URLs. Thus, when you type something like http://macworld.com, an app can use data detectors to automatically recognize it as a URL and make it clickable. As you can imagine, this greatly enhances the user's experience, since the alternative would be to manually copy-and-paste Web addresses into a browser, which is both time consuming and error prone.

In addition to website addresses, URLs that start with the prefix file:/// can also be used to identify files that reside locally on your computer, and this is where our bug comes into play. When you type File:/// anywhere in an affected app, data detectors correctly recognize that you are trying to input a file URL and attempt to extract it so that it can be highlighted or otherwise manipulated by the host app, just like any other address.

Crucially, however, this process also contains a bit self-validation code designed to make sure that the data detector did its job properly and that it was not somehow fooled into recognizing an invalid URL--something that could result in improper operation, or even a security vulnerability. Unfortunately, the validation code, called an assertion, cannot make the distinction between uppercase and lowercase characters properly; thus, when you start a URL with the word File instead of file, the operating system correctly detects the URL, but the validation code fails, causing the crash.

How bad is it?

The good news is that this bug is simply the result of an overzealous attempt at keeping your operating system secure: The crash occurs because the operating system incorrectly believes that a file URL that starts with an uppercase character is invalid and has somehow managed to slip through the regular data detection routines. Under normal circumstances, this would be a last-resort attempt at preventing bad data from making its way into an app and wreaking havoc; thus, the crash does not open the door to security vulnerabilities or create any significant attack vectors that could be used by would-be hackers.

The bad news is that this bug is very pervasive: It affects just about any app that makes use of data validators, and that includes... well, pretty much every major app you have running on your Mac, from the Finder to Safari. And, while your hard drive won't go up in smoke because of it, an untimely crash could easily lead to the loss of precious data--hardly the kind of user experience any of us would want.

Luckily, the problem is somewhat mitigated by the fact that most users are unlikely to use file URLs, and even those who do are much more likely to use the lowercase variant. Thus, despite all the publicity it's receiving, the bug's occurrence in real-life usage is probably fairly rare, which explains why it took so long for it to surface.

Ultimately, it's a fair bet that Apple will fix everything in an upcoming release of Mountain Lion; in the meantime, however, you can turn off the affected code by visiting the Language and Text pane in System Preferences; disabling both "Use symbol and text substitution" and "Correct spelling automatically" in the Text tab will prevent the bug from occurring, albeit at the cost of losing access to two useful operating system features.

Tags: Mac, crashes, security, Mountain Lion

Aussie drug prescriptions sit pretty for health fraud

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-2404

Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-2404

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.