back to article Apple tried to patch this security hole in macOS Finder but didn't consider upper and lowercase characters

Apple's macOS Finder application is currently vulnerable to a remote code execution bug, despite an apparent attempt to fix the problem. A security advisory published Tuesday by the SSD Secure Disclosure program, on behalf of researcher Park Minchan, explains that macOS Finder – which provides a visual interface for …

  1. ShadowSystems Silver badge

    Hey Apple!

    You've coded it wrong!

    *Cough*

    =-)p

    1. This post has been deleted by its author

    2. SuperGeek

      Re: Hey Apple!

      CodeGate??

    3. Sceptic Tank Silver badge
      Windows

      Re: Hey Apple!

      It has to have rounded corners so only "f" with the rounded corner is used at Apple and "F" with the 90° bend not.

  2. Neil Barnes Silver badge

    four months since Apple comms last provided proof of life

    Perhaps the ping service is broken?

    1. Anonymous Coward Silver badge
      Boffin

      Re: four months since Apple comms last provided proof of life

      Perhaps worth trying piNg?

      1. petef

        Re: four months since Apple comms last provided proof of life

        Or sending the enquiry from thE regIster?

  3. david 12 Silver badge

    File shortcuts are actually a useful feature. That's why the FILE:// protocol was defined.

  4. 45RPM Silver badge

    That’s an embarrassment. Didn’t anyone code review the change? It also highlights the benefits of having another team write tests for your code on the basis of the specification.

    1. Anonymous Coward
      Anonymous Coward

      I agree. This is really at "duh" level.

      1. David 132 Silver badge
        Facepalm

        I'll be the first to admit that I am to coding what Eddie the Eagle was to ski-jumping, but even I would have thought to put a .ToLower() or similar in there when doing a string-match.

        1. Strahd Ivarius Silver badge

          stricmp() anybody?

    2. Annihilator

      Depends what the specification said

      1. Jimmy2Cows Silver badge

        String comparison 101 - should it be case-sensitive, or case-insensitive. Always ask that.

        At least 7 stages that should have picked this up!

        Design

        Design review

        Specification

        Specification review

        Development

        Code review

        Testing

        That it slipped past all of these unchecked is deeply concerning. This is fundamental stuff and no way it should have been overlooked by any but the greenest of greenhorns.

        1. heyrick Silver badge

          "That it slipped past all of these unchecked is deeply concerning."

          You're assuming it went through all those stages, and didn't end up as a post it note on somebody's desk, who thought "thank god, this is an easy fix" and pushed the fix after one minute of coding...

          1. Jimmy2Cows Silver badge

            That only makes it worse.

            Let's say it did go down like that... testing still should've caught it. Changes not tied to a defect or enhancement task simply shouldn't happen in a production environment, and testing should be performed on all defect and enhancement tasks.

            Needs a tester with enough nouse to recognise whether case-sensitivity should be checked. They should check things match the spec too, but also need to be able to recognise when something might be missing from said spec.

            If they're just test monkeys blindly following the spec, everything is prone to that single point of failure. Which is a management failing for allowing it to happen.

            1. heyrick Silver badge

              Now, remind me... How often have they rolled out a new OS version, to have to then push out an update to patch something really idiotic like an easily bypassable lock screen?

    3. Brewster's Angle Grinder Silver badge

      I have a tiny bit of sympathy. You're in the filename mindset and filenames are case sensitive. It's easy to forget that URI schemes are case insensitive, assuming they even knew.

      1. heyrick Silver badge

        "and filenames are case sensitive"

        There's your problem right there.

        1. Mike 16

          Consider the source

          I presume your two downvoters are unaware that filenames on MacOS are not case sensitive, or not always, or not on some of the filesystems used over the years... This manifests in various _interesting_ ways, generally when you have the least time to spend on exorcising the bugs.

          1. Strahd Ivarius Silver badge
            Devil

            Re: Consider the source

            so can it be summarized by "you are handling your filesystem wrong" ?

        2. Yet Another Anonymous coward Silver badge

          >There's your problem right there.

          These millennials with their sensitive filenames.

          Filenames should begin with DISK$USERS: like G$D intended

          1. ITMA Silver badge

            IIRC that's from DEC VMS!

            Brings back memories of Bill and Ben - the twin DEC MicroVax that ran the accounting and stock management software for the printer manufacturer I worked for back in the early '90s

            1. Yet Another Anonymous coward Silver badge

              30 years later and we still don't have ":" versioning on our filesystems

      2. gnasher729 Silver badge

        Not case sensitive

        MacOS file names are _not_ case sensitive.

    4. ITMA Silver badge

      "Didn’t anyone code review the change? "

      Who do Apple think they are? Microsoft? LOL

    5. Charlie Clark Silver badge

      This is the sort of thing you can't rely on code review to pick up: fuzzing (what we'd now call "generative adversial testing") is what you need to pick up those things you thought fixed.

    6. gnasher729 Silver badge

      Probably “test driven design”. You write a test and check that it is fixed. file:// was handled incorrectly, a test was written, and the change fixed the test. 15 more tests were not written.

  5. yetanotheraoc Silver badge

    Slash happy

    Why this? FiLe:////////////////////////System/Applications/Calculator.app

    In my testing, three slashes are sufficient: FiLe:///System/Applications/Calculator.app

    When I use only two slashes, the error message is "The internet location file `poc.inetloc` can't be opened because it's damaged." Okay, the URI is malformed (the spec calls for three slashes for file resources), that error message is close enough. But when I use three slashes and lower-case "file", the error message is the same. This indicates to me the fix was done in kludgy hack mode. What they *should* have done was create a custom error message to go with the new branch, along the lines of "Access to the resource `file:///path` has been blocked for security reasons."

    The file:/// resources are still working for me in Safari bookmarks and in fileloc type files, so I guess I don't care what they do with inetloc type files -- I wouldn't be opening unknown resources from emails or downloads anyway.

    1. Mike 16

      opening unknown resources

      You forgot to prefix that with "intentionally"

      The recent patch-fest to avoid zero-click pwning is ample evidence that sometimes these things get done without your permission.

    2. Must contain letters

      Re: Slash happy

      Three /// for the URI and then the rest are treated as one by most path traversal libraries.

      Try ls ////////

    3. doublelayer Silver badge

      Re: Slash happy

      This error message also known as the "Arrgh Apple error", because it's the thing that goes through my head whenever I see it. They use that message for anything they don't like in Finder. This means, for example, that they give you the same message for applications that they don't want to run for certificate reasons (you can bypass that by changing a setting and using the menu to open it, but it doesn't say that). People complain about Microsoft's "Something went wrong and here's a 32-bit hex value, have fun" messages, but as unhelpful as those are, they're at least truthful. "X can't be opened because it's damaged" is quite often an outright lie, but because they also give you that when something is really malformed, you can never know until doing your own investigation.

    4. gnasher729 Silver badge

      Re: Slash happy

      There’s a rule that in the scheme, two slashes may have a specific different meaning than one slash, but three or more slashed should be treated as one.

  6. fidodogbreath Silver badge
    Facepalm

    The regular facepalm seems...insufficient.

    This cries out for a mashup of Facepalm, WTF?, and FAIL. Perhaps with a dash of Pedantic Grammar Nazi as well, since capitalization falls under his purview.

  7. Ken Moorhouse Silver badge

    Apple are doing something about it...

    They are on the case.

    Meanwhile the perps are casing the joint.

  8. razorfishsl

    Since Cook took over, Apple has continued its decline into windows territory....

    But wHo caREs PROfItS are uP.

  9. beekir

    Again with the "remote"

    I keep seeing El Reg append the word "remote" to vulnerabilities that don't really fit the definition of remote.

    1. Robert Carnegie Silver badge

      Re: Again with the "remote"

      It says I can (theoretically) send you an e-mail with this in it. If you click on the e-mail, and why would you not, then (theoretically) I pwned you. Remote compromise.

      This is different, of course, from you creating the compromise file on your own desktop and running it manually. For one thing, if you built the file yourself then you probably gave it permission to run. The bug is that it can run even without that permission.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like