The iTunes 11.2 Upgrade Fiasco Challenges Our Trust in Apple

The way Apple has handled the iTunes 11.2 upgrade bug that made the /Users folder invisible is troubling. It's a matter of concern how and why it happened, that an OS bug should be introduced in an iTunes update, and how Apple handled the fix.


First of all, it's very important for app updates to be completely orthogonal to OS operations. If there's a methodology in the script for an app update that affects the operating system, then the update process should come under considerably more scrutiny. It needs to be rethought.

Apple's QA process should have caught this. How can an engineer test the installation of a new version of iTunes and not test all the related areas? That is, users may not be aware of the impact of having Find My Mac (FMM) turned on, but OS engineers are expected to be aware of secondary effects via their expertise.

Customers have come to expect that with the maturity of a 13 year old OS, there is increasing stability in both the OS itself and install techniques. As we know, Apple has steadily added features to OS X over the years to make it more useful and compelling, but the underlying philosophy must always be a regard for the basics of OS integrity over novelties and added features.

It's been said that adding more programmers to a project doesn't speed up the work; it slows it down. But QA testing, painstaking work that it is, can always benefit from more experienced, curious, savvy testers. Letting the customers find terrible bugs in a new release is greatly damaging to Apple's image, much more so in magnitude than paying for additional tests.

Apple's Approach to Handling in Question

Of further concern is the way Apple handled the fix. Once it was understood how the iTunes 11.2 update, in concert with FMM, could cause an important system folder to become invisible, it would have been reasonable to surmise that a great many users were affected by this bug. Accordingly, it was disingenuous for the Mac App Store release notes for iTunes 11.2.1 not to mention that it fixed this specific problem that some users were having with the OS.

Instead, Apple quietly mentioned the issue in its Apple Product Security Notes—something that not many customers subscribe to—very late on May 16. Plus, there was a mention in an Apple support note, on the weekend, just to be all official. From the security note:

iTunes 11.2.1 is now available and addresses the following: A local user can compromise other local user accounts Description: Upon each reboot, the permissions for the /Users and /Users/Shared directories would be set to world-writable, allowing modification of these directories. This issue was addressed with improved permission handling.

1. When Apple makes a public mistake that affects OS usage, there should be a public acknowledgement, and the discusion shouldn't be directed off the beaten path. That just leads to a questioning of our trust in Apple.

2. When what is eventually characterized as a security snafu is identified, it shouldn't be rolled out in another iTunes app update that has nothing to do with the problem introduced with the OS. Does Apple routinely hold back a batch of minor update items for each app so that these kinds of errors can be covered up in an innocuous looking update? The list of changes in iTunes 11.2.1 certainly made it look like that.

There's feeling here at TMO is that this iTunes 11.2 affair was badly handled. An app installer that contained a bug that never should have affected the user's view of the OS was released simultaneously with an OS update. That led many to mistakenly suspect the OS X 10.9.3 update. Then, the problem wasn't acknowledged. Then an updated iTunes app was released, instead of a security update, that obscured the fix to the OS issue for the average user.

We have come to expect more from Apple.