When Apple rolled out an updated version of Mac OS X this week I grumbled about the lack of information regarding what (if anything) was being fixed security-wise.
It turns out that my attention was entirely focused in the wrong direction. Rather than worrying about the OS X update, I should have been more concerned about the simultaneously-released new update for the Mac edition of iTunes, version 11.2.
The Mac Observer was one of the first publications to report that many users had noticed that their Users and /Users/Shared folders had seemingly disappeared into fresh air.
And, in turns out, that it was the new version of iTunes which was to blame.
As a support note from Apple explains, iTunes 11.2 introduced a bug which could have allowed users who share your iMac or MacBook to compromise other user accounts on the computer.
Impact: A local user can compromise other local user accounts
Description: Upon each reboot, the permissions for the /Users and /Users/Shared directories would be set to world-writable, allowing modification of these directories. This issue was addressed with improved permission handling.
Now, maybe that doesn’t matter to most users who probably don’t have multiple accounts on their Macs, but in an environment where a number of people might be sharing the same computer that’s not good news at all.
And even if you weren’t at risk from the security hole that iTunes 11.2 introduced, you should still be wondering just how a flaw like that crept into Apple’s code with their testing department noticing.
The good news is that Apple quickly issued a fix in the form of iTunes 11.2.1, which reportedly resolves the issue.
The bad news is that means you’re going to have to download iTunes all over again - a not unsubstantial download.
If you work in a company’s IT security department, you want to be given usable, actionable information about what security issues an update addresses so you can decide how important it is to push out across the computers under your control.
Understandably, many firms are cautious about making any changes to their users’ computers’ operating systems, in case incompatibilities or problems are introduced.
An update can offer all the bells-and-whistles and funky features in the world, but your users are not going to appreciate the newly improved support for 4k displays (one of the enhancements in OS X 10.9.3) if the apps they use every day no longer work properly, or if unexpected behaviour by their computer sends them scurrying to the IT support desk for help.
This vulnerability was patched quickly, but the truth is that proper quality control should have meant that it was never introduced in the first place.
Thanks for fixing it quickly Apple, but next time work harder to make sure you’re not introducing bugs like this in the first place.