Buggy iTunes 11.2 update opened serious security hole on Apple Macs

iTunesWhen Apple rolled out an updated version of Mac OS X this week I grumbled about the lack of information regarding what (if anything) was being fixed security-wise.

It turns out that my attention was entirely focused in the wrong direction. Rather than worrying about the OS X update, I should have been more concerned about the simultaneously-released new update for the Mac edition of iTunes, version 11.2.

The Mac Observer was one of the first publications to report that many users had noticed that their Users and /Users/Shared folders had seemingly disappeared into fresh air.

Missing Users folder

And, in turns out, that it was the new version of iTunes which was to blame.

As a support note from Apple explains, iTunes 11.2 introduced a bug which could have allowed users who share your iMac or MacBook to compromise other user accounts on the computer.

Impact: A local user can compromise other local user accounts

Description: Upon each reboot, the permissions for the /Users and /Users/Shared directories would be set to world-writable, allowing modification of these directories. This issue was addressed with improved permission handling.

Now, maybe that doesn't matter to most users who probably don't have multiple accounts on their Macs, but in an environment where a number of people might be sharing the same computer that's not good news at all.

And even if you weren't at risk from the security hole that iTunes 11.2 introduced, you should still be wondering just how a flaw like that crept into Apple's code with their testing department noticing.

The good news is that Apple quickly issued a fix in the form of iTunes 11.2.1, which reportedly resolves the issue.

The bad news is that means you're going to have to download iTunes all over again - a not unsubstantial download.

Hefty iTunes update

If you work in a company's IT security department, you want to be given usable, actionable information about what security issues an update addresses so you can decide how important it is to push out across the computers under your control.

Understandably, many firms are cautious about making any changes to their users' computers' operating systems, in case incompatibilities or problems are introduced.

An update can offer all the bells-and-whistles and funky features in the world, but your users are not going to appreciate the newly improved support for 4k displays (one of the enhancements in OS X 10.9.3) if the apps they use every day no longer work properly, or if unexpected behaviour by their computer sends them scurrying to the IT support desk for help.

This vulnerability was patched quickly, but the truth is that proper quality control should have meant that it was never introduced in the first place.

Thanks for fixing it quickly Apple, but next time work harder to make sure you're not introducing bugs like this in the first place.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. Vito

    May 19, 2014 at 6:41 pm #

    Quality control at Apple has been in serious decline for the last couple of years. For those of us in the pro audio field, the fiasco of Logic Pro 9 being broken in Mountain Lion is infamous. And this nonsense of updating through the App Store is simply absurd. When the update for the new version turns out to be broken, how can you revert to the previous version if you installed it using the App Store, which leaves you without an installer?

    Apple has removed functionality and features from various apps (TextEdit, for example) and from OS X itself (try navigating huge documents without scroll arrows, using only a scroll bar). What's up with hiding the user Library? And the search functions in Finder have become increasingly non-intuitive and user-unfriendly. It's scandalous that I have to use a third party search app to find things on my Mac.

    Apple is gradually destroying the Mac environment, which once was famous for its intuitive interface and ease of use. The new paradigm is change for the sake of change. I'm sorry to say it, but they're losing their way in Cupertino,

  2. Campbell

    May 20, 2014 at 12:12 pm #

    Just curious; did 11.2 on Windows, show up as having functional problems ( like a series of errors, and then iTunes does not start ? ); I had this fail on my main iTunes Computer, Thankfully it did not destroy my files, just my installation of iTunes. I thought there was a registry or fragmentation issue on the PC, and luckily my main work computer at home was not updated. Just the iTunes PC; Will, or is 11.2.1 supposed to fix for windows, if it does exist for windows ?
    Ta

Leave a Reply