URL detection flaw causes OS X apps to crash

Over the weekend, reports of a rather curious OS X bug were reported with a mixture of amusement and surprise. Affecting only recent versions of Mountain Lion--including, according to some reports, as-yet unreleased betas of the operating system--the bug manifests itself in the form of a crash every time you type File:/// (with an uppercase F) inside most standard text input controls like those you can find in a Web form or in text editors like TextEdit.

Bugs are nothing new, of course, but this one is particularly interesting because it affects almost every app that uses OS X's standard text-input mechanisms. Luckily, it's a relatively minor issue that occurs only rarely in real-life use, and can be easily addressed by a few mouse clicks in the right System Preferences pane.

What's happening?

Recent versions of OS X include a feature, called data detectors, which allows apps to automatically recognize certain kinds of information when it appears in a piece of text. You can see it at work whenever Mail detects that a message you have received contains an address or a phone number and allows you to, for example, create an entry in the Contacts app at the click of a mouse.

One of the jobs entrusted to the detectors is that of recognizing Internet URLs. Thus, when you type something like http://macworld.com, an app can use data detectors to automatically recognize it as a URL and make it clickable. As you can imagine, this greatly enhances the user's experience, since the alternative would be to manually copy-and-paste Web addresses into a browser, which is both time consuming and error prone.

In addition to website addresses, URLs that start with the prefix file:/// can also be used to identify files that reside locally on your computer, and this is where our bug comes into play. When you type File:/// anywhere in an affected app, data detectors correctly recognize that you are trying to input a file URL and attempt to extract it so that it can be highlighted or otherwise manipulated by the host app, just like any other address.

Crucially, however, this process also contains a bit self-validation code designed to make sure that the data detector did its job properly and that it was not somehow fooled into recognizing an invalid URL--something that could result in improper operation, or even a security vulnerability. Unfortunately, the validation code, called an assertion, cannot make the distinction between uppercase and lowercase characters properly; thus, when you start a URL with the word File instead of file, the operating system correctly detects the URL, but the validation code fails, causing the crash.

How bad is it?

The good news is that this bug is simply the result of an overzealous attempt at keeping your operating system secure: The crash occurs because the operating system incorrectly believes that a file URL that starts with an uppercase character is invalid and has somehow managed to slip through the regular data detection routines. Under normal circumstances, this would be a last-resort attempt at preventing bad data from making its way into an app and wreaking havoc; thus, the crash does not open the door to security vulnerabilities or create any significant attack vectors that could be used by would-be hackers.

The bad news is that this bug is very pervasive: It affects just about any app that makes use of data validators, and that includes... well, pretty much every major app you have running on your Mac, from the Finder to Safari. And, while your hard drive won't go up in smoke because of it, an untimely crash could easily lead to the loss of precious data--hardly the kind of user experience any of us would want.

Luckily, the problem is somewhat mitigated by the fact that most users are unlikely to use file URLs, and even those who do are much more likely to use the lowercase variant. Thus, despite all the publicity it's receiving, the bug's occurrence in real-life usage is probably fairly rare, which explains why it took so long for it to surface.

Ultimately, it's a fair bet that Apple will fix everything in an upcoming release of Mountain Lion; in the meantime, however, you can turn off the affected code by visiting the Language and Text pane in System Preferences; disabling both "Use symbol and text substitution" and "Correct spelling automatically" in the Text tab will prevent the bug from occurring, albeit at the cost of losing access to two useful operating system features.

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline