Security News

Apple Releases iTunes 11.2.1 – Fixes iTunes 11.2 Security Bug

Posted on by

Last week on Thursday, Apple released an iTunes update to version 11.2 in conjunction with an updated version of Mac OS X. Then on Friday, Apple rolled out iTunes 11.2.1 as an emergency update, after the previous version mistakenly opened a serious security hole on Apple Macs. Apparently, after updating to iTunes 11.2, Mac users began noticing that their Users and /Users/Shared folders were missing, vanished upon reboot.

Apple’s iTunes 11.2.1 update is available for Mac OS X 10.6.8 or later.

iTunes 11.2.1 update notice

Apple’s first update on Thursday, iTunes 11.2, addressed the following vulnerability:

CVE-2014-1296 : An attacker in a privileged network position can obtain iTunes credentials. Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines.

The update, however, opened a serious security hole for users who have multiple accounts on their Macs. As Graham Cluley mentioned on his blog, the flaw affects users who have multiple accounts on their Macs, and he pointed out, “In an environment where a number of people might be sharing the same computer that’s not good news at all.”

Apple explained that those affected by the flaw would see the following symptoms:

The folders listed below might appear to be missing after installing iTunes 11.2 on OS X Mavericks. This can happen if you have Find My Mac enabled in iCloud System Preferences.

Folders affected:

  • /Users
  • /Users/Shared

The iTunes 11.2.1 update addressed the flaw with improved permission handling.

Apple’s security notice described the flaw resolved in iTunes 11.2.1 as follows:

CVE-2014-1347 : A local user can compromise other local user accounts. Upon each reboot, the permissions for the /Users and /Users/Shared directories would be set to world-writable, allowing modification of these directories. This issue was addressed with improved permission handling.

Mac users can download the update now via OS X’s built-in Software Update feature, or from the iTunes 11.2.1 Downloads page. Windows 64-bit users can get the update from the iTunes 11.2 for Windows (64-big) Downloads page.