So new OS X updates arrived last week, including OS 10.9.3 and iTunes 11.2. While the revisions, with minor changes, got high marks, they weren’t free of trouble. The most significant issue was the mysterious disappearance of the /Users folder on some Macs. It also made it writable to everyone, thus creating a potential security problem.
A little sleuthing turned up a possible cause. It appeared that there was a bug in the iTunes 11.2 installer that mucked up permissions, and if you also had the Find My Mac option enabled as an iCloud preferences, you wouldn’t be able to see that /Users folder.
Within hours, there were workarounds, usually the basic Terminal command to make a hidden folder visible, but it would reset upon each restart. But before the situation got out of hand, Apple released an iTunes 11.2.1 update the very next day that fixed the problem. So far so good.
As you might imagine, though, not all Mac users were happy, even though most probably didn’t have a chance to actually install the update, let alone worry so much about the need for a fix. The main issue is that an updater was released with an obvious bug — well obvious if all the conditions, such as having Find My Mac enabled, were met — and you have to wonder how Apple managed to let this bug make it through the quality control process.
You will probably never know the answer. My suspicion is that a last-minute change in the installation script may have contained the error, but went undiscovered in the rush to meet a predetermined release date. Maybe. At the end of the day, people with the best of intentions make mistakes, and perhaps Apple will know better next time. That the fix came out so quickly after the original release makes it clear there was a “whoops!” factor involved.
For the vast majority of Mac users, however, who probably don’t check their /Users folder (they go to their Home directory instead), this wasn’t a serious problem. However, a certain SSL bug in iOS and OS X, dubbed “goto fail” was, because it opened up your Apple device to a serious security problem. That issue was discovered in February as an iOS 7.0.6 updater arrived with the warning that, as the result of this bug, “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”
However, you actually needed to have control of a Mac to exploit this security leak. In short order, the problem was fixed in iOS at the same time the problem was reported in the media. But it took several more days for the OS X 10.9.2 update, which contained the fix, to arrive, which meant Macs were just as susceptible. That’s where the complaints began.
Because it involved Apple, there was a brief media freakout about the problem.
Why allow Mac users to be vulnerable, even for a few days? The repair seemed simple enough, because it involved a tiny piece of code that was accidentally duplicated. That it went undiscovered, at first, shows how even a trivial mistake has the potential to cause serious problems — or potentially serious problems, since there’s no evidence anyone ever exploited this security lapse.
Fixing it, however, may seem simple enough. But even removing a few words in a string of code requires careful testing. Apple’s developers need to make sure the fix resolves the issue, and there isn’t something else that might cause further problems. The installer also has to be checked to make sure nothing untoward occurs. Look at the iTunes 11.2 permissions issue above as an example of where a routine app installation might break something.
So maybe Apple decided it was worth waiting a few more days for the Mac fix, particularly since OS X developers decided to merge it with the pending 10.9.2 update. With a number of fixes, including security issues, even a slight coding change could have an unexpected repurcussions.
In the computer universe, mobile or desktop, instant fixes rarely happen. Microsoft took far longer to resolve security leaks in several versions of Internet Explorer that forced the Department of Homeland Security to warn people not to use that browser. To the surprise of most tech pundits, Microsoft even provided a patch for Windows XP, although the problem supposedly didn’t exist with that aging OS.
While you might rightly criticize both Apple and Microsoft for allowing security defects to exist for longer than you might think necessary, what about Google’s Android? There are serious security leaks going back a couple of years or more that remain unfixed. Worse, the cavalier attitude of Google’s executives, particularly Android chief Sundar Pichai, clearly indicate that security is not a priority. He was quoted, for example, as saying, “We do not guarantee that Android is designed to be safe; its format was designed to give more freedom.”
That makes it clear that, when it comes to security on your Android smartphone or tablet, you’re on your own. You cannot depend on Google or the device maker to ever fix serious security problems, or if they do, make them easily available for download by users impacted by these bugs. The OS that comes installed on your device will, more than likely, never be updated because there will be no updates.
The price of freedom means that, to protect yourself, you need to install a security app if you choose to use Andorid. You also have to hope that the app will get regular updates and protect you against the security leaks that Google has left untouched in the OS. But that may be more of a hope and a dream than a reality.