“The way Apple has handled the iTunes 11.2 upgrade bug that made the /Users folder invisible is troubling. It’s a matter of concern how and why it happened, that an OS bug should be introduced in an iTunes update, and how Apple handled the fix,” John Martellaro writes for The Mac Observer.
“First of all, it’s very important for app updates to be completely orthogonal to OS operations,” Martellaro writes. “If there’s a methodology in the script for an app update that affects the operating system, then the update process should come under considerably more scrutiny. It needs to be rethought.”
“QA testing, painstaking work that it is, can always benefit from more experienced, curious, savvy testers. Letting the customers find terrible bugs in a new release is greatly damaging to Apple’s image, much more so in magnitude than paying for additional tests,” Martellaro writes. “Of further concern is the way Apple handled the fix. Once it was understood how the iTunes 11.2 update, in concert with FMM [Find My Mac], could cause an important system folder to become invisible, it would have been reasonable to surmise that a great many users were affected by this bug. Accordingly, it was disingenuous for the Mac App Store release notes for iTunes 11.2.1 not to mention that it fixed this specific problem that some users were having with the OS… Instead, Apple quietly mentioned the issue in its Apple Product Security Notes—something that not many customers subscribe to—very late on May 16. Plus, there was a mention in an Apple support note, on the weekend, just to be all official.”
Read more in the full article here.
MacDailyNews Take: Puleeze. A mistake was made and it was quickly corrected. Not a big deal.
[Thanks to MacDailyNews Reader “Jeff” for the heads up.]
Related articles:
Apple releases iTunes 11.2.1 update to correct hidden ‘/Users’ folder bug – May 17, 2014
OS X 10.9.3: Why is the /users folder hidden for some users, but not all users? – May 16, 2014
Apple releases iTunes 11.2 – May 15, 2014
Nonsense. I don’t expect perfection. I do expect quick action where errors are found and that was what happened.
Given the premium consumers pay for Apple computers, perfection is something consumers should not only expect from Apple, it’s something consumers should demand. The Apple disciples need to stop making excuses every time their favorite company screws up and blows the dog!
That’s a bit of an over reaction. Demand high quality, yes. perfection is unattainable. For what they do, and at the magnitude they do it at, Apple is among the best at keeping things clean for us. When a minor issue arises, get the fix out fast. That’s what they did. Not all people were affected by this. I wasn’t. The App Store doesn’t tell me I need to upgrade to iTunes 11.2.1. I’m at 11.2 and OS 10.9.3 and never had this issue. It must be hardware or configuration specific. Adobe online Creative Suite goes haywire, a much bigger problem than Apple’s, and the affected people had a much worse experience. Not nearly enough hell was raised over that.
This was far worse than Adobe’s Creative Cloud outtage. Granted many of us were pissed at Adobe because we can’t stand subscription software and this was a great example of just one of the many reasons why.
But at the end of the day, some components of the Creative Cloud couldn’t be used for a day. Most of Creative Cloud was still accessible since it was just the verification server that was out, which could be out for a month without shutting down the software.
That’s much different from the real issue here which had nothing to do with the triviality of an invisible folder. the real bug was that it made the Users folder word-writeable. Which means anyone with physical or net access to your Mac was given complete access to all users (including admin).
Not being able to use some of the components in Creative Cloud for a day is bad, but compare that to finding that someone got access to every users account including the admin accounts and wiped everything, including any connected backup drives.
It was a bug. Yes, a nastier bug than most people think. However, bugs happen. It is a fact of life. Apple issued an update/fix quite quickly. Expecting more than that is truly asinine.
Apple’s Mac OS automatically notifies people of an update’s availability. If you get notified of an update it is YOUR responsibility (not Apple’s) to decide if you’re going to update or not. Apple’s job is to get the update/bug fix out there. Each user needs to take some responsibility for knowing their Mac.
While the whiners here seem to think that a Mac should be as simple to use and maintain as a common screwdriver, it is not — and never will be. No computer today is and likely never will be.
@Shadowself,
Yes, see my other comments where I repeatedly said that Apple responded quickly on this. This comment was only to compare this issue to the Creative Cloud issue, which was in fact totally trivial. One day of maybe not being able to access new components that you’ve never used before in Creative Cloud versus having all user directories being writeable for a day.
I’m not “whining” about anything, just pointing out that this issue had nothing to do with an invisible folder and everything to do with the security risk that was the result of the iTunes update.
This type of mistake will happen and as users we need to prepare for it, but that’s a lot to ask of grandma, and frankly, while it doesn’t happen often, Apple did drop the ball here (even if they quickly picked it back up).
“Which means anyone with physical or net access to your Mac was given complete access to all users (including admin).”
This is exactly the type of person that I figured would get upset over this issue; a person that does not know anything about how computers and file systems actually work.
First of all, that statement is completely false. Even with the Users folder world-writeable, in order to access any other accounts, you still have to be able to log in under those accounts. Making the Users folder world-writeable just means that any user can add files to the folder – THAT’S ALL IT MEANT.
All the user home folders inside /Users were still completely protected. Even though under standard UNIX permission rules making a folder that is world-writeable means even being able to delete any item within, OS X employs ACLs (access control lists) which is a secondary set of permissions. Criteria has to be challenged and met through several security layers before anything can pass. It just so happens that all home folders are created with a standard ACL rule; “group:everyone deny delete”. This means that only the owner can delete the folder, everyone else is denied that ability.
Read the very sentence you chose to quote me on. What part of “access” did you not understand?
Secondly, you’re confusing setting up a public dropbox with making all user directories writeable from the top down. Want to make your entire admin user directory writeable and see how fast someone can completely own your Mac, including deleting everything?
“What part of “access” did you not understand?”
I figured you meant someone who could log onto my computer?
If that’s the case, then nothing I said was wrong. No other user on the system can modify any part of another user’s home folder, except the Public Drop Box, where things can be “dropped” into. Even if the “/Users” folder is changed to world-writable.
Try it yourself on your own Mac…
Create a “dummy” user account, change the /Users folder to world-writable and try to delete and modify the “dummy’s” home folder … the system won’t let you, it constantly asks for Administrator authorization. You can’t rename it, delete it, make any changes what-so-ever …even from the command line.
So you’re still absolutely wrong in what you said.. the issue with /Users folder will NOT affect all the other accounts on your system – AT ALL.
“Want to make your entire admin user directory writeable and see how fast someone can completely own your Mac, including deleting everything?”
First of all, as stated above… iTunes did not make all users’ home folders world-writable, it made one folder writable, the “/Users” folder. (I think this is a major point of confusion on your part.)
Second, as I stated in my previous post – even if it was made world-writable, the ACL would control anyone from being able to make any changes.
Again, you can try this on your Mac…
Make the “dummy” home folder and all of its contents world-writable.
Now try to delete it or even rename it.
Try to delete ANYTHING in it.
You can’t.
The issue isn’t with making the top level directory world-writeable as you can set in permissions, the issue was that iTunes 11.2 made the entire directory including sub-directories world-writeable. Try this, install iTunes 11.2 allow the bug to occur and you’ll see that anyone with any access has write access to anywhere in Users including all subdirectories and any admins. This is what I witnessed on two Macs. Again, it was a pretty big bug which is why Apple reacted so incredibly fast.
@kevicosuave: “the issue was that iTunes 11.2 made the entire directory including sub-directories world-writeable.”
This didn’t happen on my computer… I was posting on another site regarding this issue and just happened to take a screen shot of my terminal (after upgrading to 11.2) to show that the “Shared” folder was also hidden. The shot (link below) shows that the other folders were not affected by the bug…
You can see just below “Shared” there’s another user folder, “josh” (a friend’s account), and you can barely see that the permissions are “rwxr-xr-x+”, which is exactly what they should be. You can also clearly see that the guest folder was not affected.
Only the “/Users” and “/Users/Shared” folders on my system were affected by the bug. Furthermore, there was no other mention, in any of the “fixes” around the web, about other home folders being affected. Only the “Users” and “Shared” folders needed fixing. (Actually the only problem with the “Shared” folder’s permissions was that the sticky bit was off.)
Oh please I have never found perfection in any product or ever expect to, even my last 2 coffee frothers have broken within a year and they are about as simple as it gets as an electrical device. Apple may not have excelled themselves here but to demand perfection and no errors altogether is pointless because though you may strive for it it is actually impossible to achieve in such a complex eco system. Hey even the Deciples accepted that Christ wasn’t perfect as he was quick to emphasise himself.
Mountain out of a molehill.
These guys are desperately trying to make themselves relevant. I was a member of an Apple financial forum for investors hosted at TMO. A couple years ago they notified us that they would be kicking the forum off their server, since we were dominating the traffic on their site. When people complained about this decision they were met with arrogance and scorn. We quickly re-established the forum at another location and it is lively and vibrant to this day. TMO is now moribund. Their remaining forums’ most recent posts are typically days, weeks, or months in the past. There is one forum that is updated almost daily, almost always by a TMO admin, and almost always with no replies. The site has become a pathetic ghost of its former self. This article is pure desperation and hit whoring.
Absolutely right and since Martellaro has recently started writing for The Street, he probably feels that he needs to prove himself as Being able to “call Apple out” too…
What a pathetic bone he picked to pick…
Whoop De Do! Update complete thank you for the quick fix
This author must have been affected by the bug so now it is time to go thermal nuclear on apple because the author is also a samsung user… That’s my guess.
What I find amusing and ironic about this debacle is that Podcast features – in both iTunes and iOS – have been a buggy mess for MONTHS with virtually no one complaining. Now Apple is finally putting someone to work on them – interns perhaps? – and the problems are slowly starting to get untangled – in starts and fits. Guess it goes to show which squeaky wheels get the grease…
Load O Crap Reporting – this has and always will happen in the complex world of code – Reporter – I say GET LOST!
Apple – thanks for the quick update!!!
Hit w……., small percent users got the issue, no data lost, no security breach, no privacy risk, fast solution, author probably under Samsung payroll, issue happened, was solved, article over blows reality
Just another “Apple = Bad” click bait. Useless bullshit.
The invisible folder issue wasn’t the real bug, the real bug was that it made the Users folder word-writeable. Which means anyone with physical or net access to your Mac was given complete access to all users (including admin).
While an invisible folder may be inconvenient, losing permissions in this way is almost as big of a security flaw as you could possibly have.
Apple’s response on this was as quick as they possibly could, meaning there’s really no level of response greater in terms of how Apple handles things.
Part of this though is to fix-first, quietly announce later, and the quieter the better.
If Apple announced, hey everybody, it’s open season on Macs!!!, then that would’ve caused more harm than good.
The author of the article does bring up a good point though, and that is wow, this was a pretty big bug in an app that you wouldn’t expect was capable of such a thing.
“The invisible folder issue wasn’t the real bug, the real bug was that it made the Users folder word-writeable. Which means anyone with physical or net access to your Mac was given complete access to all users (including admin).”
Wrong. The DIRECTORY was set “write: other”, not the files inside the directory. Under Unix permissions that means a person already logged into the system could add files to the directory, and delete files. However, Apple’s additional permissions system permitted ONLY owners of the files in question to delete them. So the real situation is that someone with password access to the system could have added a user file to the /Users directory. Bad, yes, but not the end of the world.
That’s not what I observed. If you have access to iTunes 11.2, try this yourself. Install it on a Mac and let the bug appear. On two of my Macs, it set the whole directory and sub-directories as writeable to everyone, including admin user directories. At that point, a system can be completely owned by anyone with access.
I agree with you though, not the end of the world, but bad, and bad enough that Apple reacted very quickly (as quickly as could be expected) to fix the situation.
Once it was understood how the iTunes 11.2 update, in concert with FMM [Find My Mac]
I personally found ZERO connection to Find My Mac.
I must also point out that the bug did not only hide /Users. It also hid /Users/Shared. AND it wrote WRONG permissions to /Users/Shared. Let’s be accurate and thorough here please. That’s not too much to ask.
AND after the bug was made evident, we watched Apple release LOUSY documentation about it, which someone at Apple caught, withdrew, and had rewritten to something sane and logical.
IOW: Apple has two consistent problems right now:
1) Crap coding sneaking into their programming processes. This is not a recent problem. It’s a core self-destructive problem of prime priority.
2) Crap documentation. I can verify that the crap documentation problem has been going on for YEARS and must stop yesterday. Obviously, this is of secondary importance. But I am sick to death of having to point out crap documentation just about every time an update is released and watching the inevitable user confusion. It’s not acceptable. I don’t care who get’s fired. It’s not acceptable. Hire me. Hire Hannah. Hire someone who CARES about documentation. Just FIX IT Apple. Stop treating documentation as an annoyance. It’s CRITICAL in coding. It’s CRITICAL in helping developers and users. Don’t make me rant about this over and over please. It makes you look really stupid.
…And yes haters, you’re welcome to rant about my stupid too. I’ll live and learn. My point is to get Apple back to living and learning as well.
No complaint from me. What is iTunes doing messing with those permissions anyway? Did they have some problem where the “easy “solution was to temporarily make it world-writeable, but then they forgot to change it back (or had some bug preventing that code from executing)?
Hire me
The caressing ripples in the ether are subtly calling my name yet again. Technical documentation does not pay well, however, and nobody reads it, anyway.
I have a local friend in the field. I know…
If you think that’s crap documentation, you should try reading Japanese audio gear manuals…you’ll never again complain.
In Japanese? That would take me some time indeed. If you mean English translations there of, I’ve fought through my share. I must point out, however, that Panasonic/Matsushita has written some remarkably readable tomes.
I meant the translations and you obviously know what I’m talking about…;-)
I love Macs. I have many, and pretty much at least of two everything Apple makes. I’m a huge Apple fan. That said, if another company did this, for example Microsoft, MDN editors would be all over it with negativity and stating their world is ending, and, telling how much better Apple is… Yes, companies make mistakes. My complaint is MDN should give the same critiques of Apple, they do of all the other vendors. I get it, we’re all Apple fans; however, it discredits the MDN editors when they hold Apple, to a more laced set of rules.
The difference is that this kind of thing occurred almost daily with MS. It wasn’t even news. It was expected. Having been a systems admin and tester, I can assure you that nobody and no process is perfect. Apple is light years ahead of most companies in tis regard.
Zeke is right. At times MDN is mild when it should be sharp; at other times, frothing at the mouth and summoning the villagers and lighting their torches, when it should pursue a more tentative approach. Jekyll and Hyde! At least this is evidence of human machinations behind the scenes at MDN, who sometimes comes across as a sleepy news scraper.
I’ve noticed this as well, hannah. The comment I’m replying to won’t be on this blog a week or two from now… Any constructive criticism towards MDN often claims a morbid censured fate as time flitters by, no matter if your opinions are valid and coherent.
Cheers!
Flitters, nice word, I’ve acquired it
The sky is falling, a plagues is coming, the dark one has awoken, Another Twilight Movie is coming….whatever. It was not a big thing and no one lost data, work hours or complete meltdown over it. It was fixed in a snap and probably most people never even noticed it.
Not another Twilight movie ! I’m digging a bomb shelter in the backyard.
I would venture to say that 99.9% of all Mac users never noticed this bug. No pain no foul.
Not noticing it doesn’t mean it wasn’t a problem. Not the invisibility, but the read/write permissions. That was the big issue.
Yes it is a big deal. Where in the yellow is the Q&A. Put the skill and analisum 😉 into your code and Q&A of the code as you do into hardware fit and finish and design. Your making Microsoft look good with these coding screw ups. Are we off shoring our Apple coding these days?
What’s the big deal? Most Mac users I know never actually go into the /Users folder anyway. They have long since added the folders they access most of the time to the Finder sidebar or to the Dock. All of these people screaming like stuck pigs over this need to shut the hell up.
I agree with the author. An iTunes update should not have affected the OS. Apple is pushing updates that do more than what is documented and that is a problem for consumers.
If it was Microslut, it would have taken months, if ever, to fix.
It’s a folder attribute. It’s not an OS bug. The OS was operating as it was told to do. Why for some people the /User folder became hidden, I don’t know. But it didn’t happen to everyone, and it left my computer alone in that regard. Hardware and software are wholly very complicated things.
If every software vendor published every change they make to the system, in their update, you wouldn’t bother reading the list it would be so long. The major changes are what you read. Little stuff, like folder bit set or other, fall under the title, “bug fix.”
However I believe this was not an undocumented change, but an actual unintended event. So no one was trying to “sneak” anything.
Apple fixed it, so let that be the end of it.
Stop with the bees up the butt attitudes.
It’s not that the folder became hidden for some users, it’s that it changed permissions for the entire Users directory, meany any user, even a guest, could have access to every user directory on the system including the admin and wipe everything (including any attached backup drives).
This really was a bad mistake, thankfully it was caught and fixed very rapidly.
Thanks. That’s bad.
What about the more serious problem of 10.9.3 killing dual monitor support in a lot of MacPro, both old and new.
If an invisible folder (that was quickly fixed) is the biggest thing Mac users have to worry about . . .
I know I’m repeating myself, but it’s important for people to understand this… It wasn’t an issue of an invisible folder, it’s that it changed permissions for the entire Users directory, meany any user, even a guest, could have access to every user directory on the system including the admin and wipe everything (including any attached backup drives).
This really was a bad mistake, thankfully it was caught and fixed rapidly.
“fiasco-challenges-trust-in-apple….”
Lol.. What type of drugs are you on John?
Take a chill pill and relax …. The problem was fixed quickly .
Praise apple for the quick fix !
I thought Apple was making the folder invisible on purpose – similar to what they did with the Library folder. Does anyone every really go to the Users folder? No. They typically just go Home.
iTunes is loaded with bugs that Apple refuses to acknowledge. A simple visit to the iTunes support community will reveal this. I still receive emailed follow-ups for a problem that has been ongoing since October.
I didn’t even know there was a problem…