Sign Up: Free Daily Tech E-letter  
Technology Home
Tech Policy
Government IT
Personal Tech
Special Reports


Apple Learns Microsoft's Bad Habits


_____Recent E-letters_____
Farewell to Sony's Clie (, Jun 7, 2004)
Err on the Side of the Beginner (, Jun 1, 2004)
Surveying HDTV Prices (, May 17, 2004)
E-letter Archive
E-Mail This Article
Print This Article
Permission to Republish
Monday, May 24, 2004;

Good morning, and welcome to your week. In a few hours, I'll be hosting my 2 p.m. ET Web chat, but this time I can't linger for an extra half an hour answering questions -- I'm off to New York later this afternoon for the CeBit America trade show. Unlike its parent show (a mega-convention in Hannover, Germany, that draws hundreds of thousands of attendees each year), this one should be a pretty low-key affair, focused mainly on business computing but with enough home-computing events and exhibits to keep me reasonably busy for a couple of days.

Stop by early and submit a question if you can't join us from 2-3 p.m. today.

Apple Security Alert

A Mac OS X vulnerability, publicized and fixed last week, showed Apple imitating most of Microsoft's bad habits last week. First it added a feature of dubious utility—better yet, one involving an integration of Web content into the rest of the operating system. This feature involved the ability of a Web page to invoke OS X's Help Viewer application by including a "help://" link.

Help Viewer, in turn, can run other applications on a Mac (a legitimate feature, often used in help-file links that read "open this control panel for me"). The problem in this case happens to be that a specially coded address can be used to open Help Viewer, then run the Terminal application, then issue a command-line instruction. Say, the "rm –rf" command that erases all your user data.

Visit to see how this can work. You'll see the Help Viewer program opens, and a moment later the Terminal application runs as well. You can watch as Terminal issues a "du" (aka, "disk usage") command, causing a lengthy string of numbers to scroll by -- harmless, but highly unnerving to see happening without any intervention on your part.

This is the kind of thing that would ideally be caught in pre-release bug testing. If not detected then, you'd expect that Apple would issue a fix once informed of it by a user. But according to the report on, Apple was notified of this problem in February.

This vulnerability was publicized early this week (see and, and that PR seems to have goaded Apple into action. It released a patch and distributed it through the Mac OS X Software Update system Friday evening -- several days after multiple third-party developers had released their own fixes for the problem (you can find the download here).

I installed Apple's update Friday night and verified that it worked by revisiting that proof-of-concept site. I asked Apple why this help:// feature had been included in the first place (and if anybody had yet implemented it in the manner Apple had intended). I also asked Apple if it could verify that it had been notified of the problem in February, and if so why it hadn't acted on that warning. The company declined to comment, offering only a generic, boilerplate reply.

That leaves me with only one conclusion: How pathetic is this? After having every opportunity in the world to learn from Microsoft's example, Apple instead followed it. The fact that this flaw still wouldn't cause the same amount of damage as a Windows vulnerability (OS X's multiple-user system prevents a user, or any malware running while a user is logged in, from damaging core system files and settings) would be no comfort to somebody who had just lost all their own data.

Answering a Reader's Verizon Wireless Question

I've got a follow-up to my Web last chat, where I promised to look into this question:

Washington, D.C.: I am completely amazed by what I just heard about Verizon's contract termination policy. The fiance of a friend of mine just passed away and she called to have his cell phone terminated. Verizon said that the account would be charged a $175 early termination fee and when she explained he had died they said it didn't matter WHY the account was being terminated and a death certificate wouldn't make a difference as they would charge the $175 anyway. Can you believe this?! In addition to being completely insensitive to a grieving person this policy seems insane.

The answer I got from Verizon Wireless was pretty much what I'd expected: That's absolutely not our policy, so somebody must have screwed up. Spokesman John Johnson e-mailed to say that "we would definitely close out such a contract without requiring an early termination fee payment."

While I'm on the subject of Verizon Wireless, I've gotten many questions about when Verizon is ever going to start selling the Treo 600, easily the best Palm/phone combination around. Verizon says it's testing the Treo 600 and hopes to launch it later this summer. What I still don't know: what Verizon could possibly find to test at this point, given that Sprint PCS has been selling a model that runs on the same wireless technology as Verizon since October.

Bits and Bytes

* Users of the Napster online-music service got a free software update last week. The primary addition, as far as I can tell, is the addition of MP3 encoding. The catch is, downloading the new Napster 2.5 doesn't actually include this feature per se; you have to click a link in its Options window to download a separate plug-in. After installing it and restarting Napster, you will be able to select MP3 as your CD-ripping format of choice (note, however, that this software doesn't support popular "variable bit rate" encoding option, which makes a little more efficient use of your disk space.)

*Further adventures in badvertising (an occasional feature in these parts): The ad insert H-P ran in The Post two Sundays ago contained three pages touting the company's HP and Compaq-branded machines (one of which was praised as "thin, light and powerful,"), but doesn't specify the weight or dimensions of any of them.

-- Rob Pegoraro ( Home

© 2004 Washingtonpost.Newsweek Interactive

Company Postings: Quick Quotes | Tech Almanac
About | Advertising | Contact | Privacy
My Profile | Rights & Permissions | Subscribe to print edition | Syndication