Apple Bug Friday March Madness

Wednesday, 2006-03-29; 00:42:00

So... yeah. I again have let a month go by without any Apple Bug Fridays. That means... that's right... another monthly bug roundup! Yeeeeeehawwww!

XXXIII: I actually submitted this one two weeks ago, but forgot to post about it. After filing bug XXXII, I decided to make sure that my data wasn't corrupted on the iDisk servers. To reset your sync data, you have to go into the Advanced tab of the .mac preference pane. However, it often takes a long time to retrieve the list of registered computers. This shouldn't lock up the interface of System Preferences, because it uses a spinny progress indicator to show that it's still retrieving the list. However, a short time after this spinny progress indicator appears, your cursor changes to the spinning rainbow cursor, indicating that the interface of System Preferences is blocked. This shouldn't happen. Additionally, the "Reset Sync Data..." does not need to be grayed out until the list of registered computers is retrieved. A user should be able to immediately initiate a reset sync; this way, the user does not have to wait for the list of registered computers before initiating the reset sync, and can go away from his computer while the computer does the reset sync. Filed: 4480800.

XXXIV: iTunes cannot edit TV show-specific metadata. For example, the episode and season number of an episode, the production number, the TV show name, and the episode description are all metadata that is supported by m4v videos, but iTunes cannot edit it. Furthermore, this data is used and displayed by iTunes and Front Row, making it necessary for this information to be editable through iTunes. For example, Front Row uses season and episode numbers to separate and sort TV shows in its lists. Additionally, the show name is used in Front Row, rather than the artist name. This is especially annoying -- the first episode of The Daily Show in the iTMS had "The Daily Show" as the show name; all subsequent episodes, however, used "The Daily Show with Jon Stewart" as the show name. As a result, the first episode was listed as a separate TV show. All this information can be edited via Parsley is Atomically Delicious. (Lostify can also edit this metadata, but a highly recommend against using Lostify, because its interface is crap and cannot adequately allow you to batch edit TV show-specific metadata.) Filed: 4494726.

XXXV: Downloaded episodes of The Daily Show and The Colbert Report have inadequate metadata. These video files do not include season or episode number, production number, and the description of the episodes are woefully inadequate. For example, the description of last night's Daily Show episode is "Today's top headlines get their Daily treatment, and Michael Gordon stops by for a chat with Jon." That's really annoying, because practically every episode description says something along the lines of the headlines getting their Daily treatment. It would be much nicer if the actual headlines were included in the description of the episode. Season and episode numbers should be added to the metadata of these files as well, because they are used when automatic library organization and track numbers at beginning of filenames are turned on (in addition to being used to sort TV shows in Front Row). Filed: 4494729.

XXXVI: I'll let the problem description in Apple's database speak for itself:

Summary: Links are used throughout Mac OS X, including Safari, Mail, iChat, TextEdit, and any application that uses the WebKit framework. Links have two parts: the text that gets displayed to the user, and the URL to which the link actually goes. However, links can often simply display the URL as the text of the link itself, so that a user can immediately see the destination URL. However, since the text of the link can be different from the actual URL, a malicious person could provide a false URL as the text of the link, and a malicious URL as the actual URL of the link. In this way, the malicious person provides a false sense of security to the user, who instinctively clicks the link because the text looks safe, even though the URL itself isn't.

In the cases where the text of a link is a URL, Mac OS X should automatically make sure that the text of the link is identical to the actual URL of the link. If they do not match up, Mac OS X should show up a warning, and inform the user of this potential problem.

Steps to reproduce:

1. Open iChat.

2. Initiate a text chat session with a buddy.

3. Type in "", but do not press return to send the message. This URL goes to a song called "Lie to Me" by the Devics in the iTunes Music Store. This song is enjoyable, and a worthy song for purchase.

4. Select the URL that was just entered, and then choose [Edit --> Add Hyperlink...]. This brings up a sheet.

5. Paste in this URL: "". This URL goes to a song called "Breakthrough" by Hope 7. This song is a lame, poppy song reminiscent of other "stars" such as Britney Spears, pushed by the RIAA, an organization which, by any stretch of the imagination, should be wiped off the face of this earth. This song is decidedly NOT worthy of purchase.

6. Press the "OK" button in the Add Hyperlink sheet. Observe that a link is created, with the good song as the text of the hyperlink, but with the bad song as the destination URL of the link. The recipient of this link might unwittingly click this link thinking that it would go to a good song in the iTMS -- unwittingly, because this person has memorized the playlist/artist ID of Hope 7 in order to avoid pranks that go to this bad song in the iTMS. As it turns out, this recipient was duped into clicking the link, because the text of the link was a good URL which provided a false sense of security.

7. If you're evil, send the link to the recipient. Smile evilly when they message back "ARG" to you, indicating that they fell for the prank. (Note: This tactic has been used against certain unnamed recipients in my buddy list.)

Expected Results: If a link has a URL for the link text, Mac OS X should make sure that the link text and the destination URL of the link are identical. If they are not, Mac OS X should pop up a warning that allows the user to cancel the action (or continue, if desired).

Actual Results: When clicking on such a maliciously crafted link, Mac OS X blindly goes to the website even though the text of the link does not match up with the actual URL.

Regression: This problem occurs with all versions of Mac OS X.

Notes: Please note that the fix for this problem does NOT mean that warnings will pop up every time a user clicks a link. This fix is designed specifically for those links that use a URL as the text of a link. These links are very malicious, because they are designed to give a user a false sense of security: the user thinks that they know the URL to which they are going. Mac OS X should protect against such malicious intentions by providing a warning for the user. Overall, the warning would be shown only for a very small subset of all links.

Note that the fix for this security problem can initially be solved fairly easily. After clicking a link, Mac OS X should check to see if "http://" is included in the text of the link. If it is, it does a further check to make sure that the text and the URL of the link are identical. If they are identical, then Mac OS X proceeds to the destination URL without incident. If they are not identical, a warning pops up first, with the option to continue or cancel.

This is not a complete fix, however, because some URLs do not use the "http://" prefix. More sophisticated techniques should be used to check to see if the text of a link is a URL. (For example, the text could simply be a domain like "", or a link with a different protocol, like "".)

In case you were wondering, I pull the prank on this guy. I've pulled it literally like 50 times or so. It's really funny. He still hasn't learned. :P Filed: 4494733.

XXXVII: If the episode description window for a TV show is open in iTunes (it's activated by clicking the little "i" button at the right of the description column in the Video source list), you cannot open the regular information window. You must close the episode description window first. This happens for no good reason. Filed: 4494753.

Technological Supernova   Apple Bug Friday   Older   Newer   Post a Comment