URL detection flaw causes OS X apps to crash

Over the weekend, reports of a rather curious OS X bug were reported with a mixture of amusement and surprise. Affecting only recent versions of Mountain Lion--including, according to some reports, as-yet unreleased betas of the operating system--the bug manifests itself in the form of a crash every time you type File:/// (with an uppercase F) inside most standard text input controls like those you can find in a Web form or in text editors like TextEdit.

Bugs are nothing new, of course, but this one is particularly interesting because it affects almost every app that uses OS X's standard text-input mechanisms. Luckily, it's a relatively minor issue that occurs only rarely in real-life use, and can be easily addressed by a few mouse clicks in the right System Preferences pane.

What's happening?

Recent versions of OS X include a feature, called data detectors, which allows apps to automatically recognize certain kinds of information when it appears in a piece of text. You can see it at work whenever Mail detects that a message you have received contains an address or a phone number and allows you to, for example, create an entry in the Contacts app at the click of a mouse.

One of the jobs entrusted to the detectors is that of recognizing Internet URLs. Thus, when you type something like http://macworld.com, an app can use data detectors to automatically recognize it as a URL and make it clickable. As you can imagine, this greatly enhances the user's experience, since the alternative would be to manually copy-and-paste Web addresses into a browser, which is both time consuming and error prone.

In addition to website addresses, URLs that start with the prefix file:/// can also be used to identify files that reside locally on your computer, and this is where our bug comes into play. When you type File:/// anywhere in an affected app, data detectors correctly recognize that you are trying to input a file URL and attempt to extract it so that it can be highlighted or otherwise manipulated by the host app, just like any other address.

Crucially, however, this process also contains a bit self-validation code designed to make sure that the data detector did its job properly and that it was not somehow fooled into recognizing an invalid URL--something that could result in improper operation, or even a security vulnerability. Unfortunately, the validation code, called an assertion, cannot make the distinction between uppercase and lowercase characters properly; thus, when you start a URL with the word File instead of file, the operating system correctly detects the URL, but the validation code fails, causing the crash.

How bad is it?

The good news is that this bug is simply the result of an overzealous attempt at keeping your operating system secure: The crash occurs because the operating system incorrectly believes that a file URL that starts with an uppercase character is invalid and has somehow managed to slip through the regular data detection routines. Under normal circumstances, this would be a last-resort attempt at preventing bad data from making its way into an app and wreaking havoc; thus, the crash does not open the door to security vulnerabilities or create any significant attack vectors that could be used by would-be hackers.

The bad news is that this bug is very pervasive: It affects just about any app that makes use of data validators, and that includes... well, pretty much every major app you have running on your Mac, from the Finder to Safari. And, while your hard drive won't go up in smoke because of it, an untimely crash could easily lead to the loss of precious data--hardly the kind of user experience any of us would want.

Luckily, the problem is somewhat mitigated by the fact that most users are unlikely to use file URLs, and even those who do are much more likely to use the lowercase variant. Thus, despite all the publicity it's receiving, the bug's occurrence in real-life usage is probably fairly rare, which explains why it took so long for it to surface.

Ultimately, it's a fair bet that Apple will fix everything in an upcoming release of Mountain Lion; in the meantime, however, you can turn off the affected code by visiting the Language and Text pane in System Preferences; disabling both "Use symbol and text substitution" and "Correct spelling automatically" in the Text tab will prevent the bug from occurring, albeit at the cost of losing access to two useful operating system features.

Join the CSO newsletter!

Error: Please check your email address.

Tags crashesMacsecurityMountain Lion

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Tabini

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place