Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 06 September 2010 16:14

iTunes 10's Automator issues indicate a deeper problem

By

The compatibility problems between iTunes 10 and existing Automator actions and AppleScripts for iTunes may be symptomatic of a deeper issue at Apple.


My recent article Training the key to avoiding software security flaws presented the opinion of Rocky Heckman, senior security architect at Microsoft, that training is the best approach to reducing the incidence of common programming errors that make software vulnerable to attacks.

Over the weekend, it occurred to me that functional problems are also being caused by programmers making the same old mistakes.

This thought was triggered by complaints that iTunes 10 (released late last week) breaks Apple's own Automator support as well as many third-party AppleScripts.

The problem, it turns out is not that version 10 does anything differently to its recent predecessors, but that the programmers who created the Automator actions and AppleScripts didn't know how to test for the version number of the application they were supposed to be supporting.

Well-written scripts and actions will check the version number of the host software in case someone tries to use them with an old version that doesn't include an essential feature. For example, the Add Songs to Playlist action checks that iTunes is no older than version 4.6.

The problem is that version numbers aren't actually numbers.

That seemingly contradictory statement is explained on page 2.




10 > 9 is true, but "10" > "9" is false - when comparing strings, "1" comes before "9". And version 'numbers' such as 9.2.1 aren't actually numbers as they contain two decimal places. So to correctly compare the actual version number with the minimum required, a script needs to extract the major version number ("9", in the example given) from the rest of the string, convert it into a number, and then do the comparison. Another approach is to pad single-digit strings with a leading zero (eg, "9" becomes "09", and then "10" > "09").

If an essential feature debuted in other than a major version, eg in version 9.2, the basic technique remains the same except that the second part of the number must be included in the process.

So why do I describe blindly checking version numbers as one of the same old mistakes? Because we've seen it - or at least a variation of it -before.

Back in mid 2007, Apple released the Mac OS X 10.4.10 update and a similar problem occurred, just at the other end of the version number. Some software (eg Microsoft's Silverlight installer, but I'm sure there were other examples) bodged the comparison and decided that 10.4.10 was older than 10.4.6 or whatever subversion really was required.

So how could this sort of problem be avoided? Heckman's suggestion of training would clearly help. If you've been taught how to compare version numbers reliably, you'll probably get it right.

But is this really something programmers should be worrying about? Wouldn't is make more sense to have a platform-wide function to compare version numbers that's easily accessible everywhere including AppleScript? Even then, some assumptions might be necessary (who knows what a demented programmer might decide to put in a version number string!), and that could lead to unexpected results.

Version number comparison isn't an isolated problem - please read on.




This is somewhat reminiscent of the Y2K bug. Apart from those who believed the end of the world was at hand, we all knew 2000 was going to roll around but not all programmers allowed for it. In fairness, an awful lot of code survived for a lot longer than the original developers expected, some of it dating back to a time when memory and storage were very much more expensive than they are today.

Even if Mac developers could once reasonably assume that Apple's own version numbers were amenable to simple string comparisons, that era ended in 2007. I can understand why individuals might get this wrong if they create AppleScripts essentially to meet their own requirements and later apply a little polish before releasing them to the world, but that doesn't provide an excuse for the Apple employees or contractors who are presumably responsible for the Automator actions for iTunes.

Automator and iTunes both date back to before 2007, so I am inclined to give a break to whoever originally created the actions. But this issue - along with the recently discovered '_Marshaled_pUnk' vulnerability in the QuickTime ActiveX plugin for Windows and the ongoing discovery of security-related overflow bugs in Apple's software - suggests there may be a lack of effective code reviews at Apple.

 

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.

REGISTER HERE!

LAYER 1 ENCRYPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments