Critical flaw leads Apple to push OS X update for first time

Apple has pushed an automatic update to Macs for the first time, in order to fix a critical vulnerability in the network time protocol (NTP), which is used to synchronize computers’ clocks.

The company typically uses its software update mechanism to issue security updates, with users consciously being involved in the process, but this one was extraordinarily urgent, and led [company]Apple[/company] to use an automatic update mechanism that it developed a couple years back but had not used until Monday.

Apple spokesman Bill Evans told Reuters that the firm wanted to protect customers as quickly as possible – and indeed, when it was first released on Monday ahead of the automated push, the update was unusually entitled: “Install this update as soon as possible.”

The flaw was discovered by [company]Google[/company] researchers and flagged up by the U.S. government on Friday – it doesn’t just affect Macs, but also systems all the way up to industrial control systems, and the government needed to warn those running critical infrastructure. According to that warning:

These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available…
A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the [NTP daemon] process.

Evans told Reuters that Apple was not aware of any exploitations of the flaw in Macs. The update, which doesn’t require a restart, was released for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1.

This article was updated a couple minutes after initial publication to change the word “forces” in the headline to “leads” — it occurred to me that “forces” sounded unnecessarily harsh, given that the company is trying to protect its users from a vulnerability that wasn’t of its own making.