Apple rushes out iTunes 11.2.1 – fixes giant permissions hole


Did you just download the quarter-gigabyte iTunes 11.2 update for your Mac?

If so, consider it a practice run: you need to do it all over again.

It seems there was a rather spectacular permissions blunder in the iTunes 11.2 update, forcing Apple to rush out iTunes 11.2.1 for OS X within two days.

According to Apple’s security bulletin:

Upon each reboot, the permissions for the /Users and /Users/​Shared directories would be set to world-writable, allowing modification of these directories.

Is this a dangerous hole?

For many users, not really.

If you only have one user account on your Mac, because you don’t let anyone else use it, you’re able to write to your own files at any time anyway.

But if you have a Mac with more than one user account, you don’t want those accounts to be able to interfere with one another’s data, even though they may be known (and trusted) local users rather than unknown attackers from outside.

The bad side of this bug is that you would quite reasonably expect this sort of fault to show up in testing.

The good side, if bugs can have good sides, is that Apple fixed it very quickly.

In 2013, in contrast, Apple dithered for more than six months over fixing a serious elevation of privilege hole in sudo, a tool used in system adminstration to authorise individual commands to run as root.

This latest update proves that Cupertino can move swiftly to fix security problems when it wants, so let’s hope that attitude is something we see more of.

By the way, eagle eyed readers will notice that this update applies to the most recent four versions of OS X, namely 10.6 (Snow Leopard), 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks).

We’ve suggested several times that you should consider Snow Leopard “unofficially unsupported” because it hasn’t been getting security fixes since 10.9 came out.

We stand by that assessment, even though OS 10.6 is covered in this case: although this is a security fix, it’s not really a fix for the operating system components themselves, just for one of the many applications that run on it.

Having said that: if you have already installed iTunes 11.2 and have a Mac with more than one user account, consider this a critical update and grab it right away.

Note. This bug and the associated update apply only to iTunes on OS X. iTunes on Windows is not affected.