NTP vulnerability spooked many

Critical flaw leads Apple to push OS X update for first time

Apple has pushed an automatic update to Macs for the first time, in order to fix a critical vulnerability in the network time protocol (NTP), which is used to synchronize computers’ clocks.

The company typically uses its software update mechanism to issue security updates, with users consciously being involved in the process, but this one was extraordinarily urgent, and led [company]Apple[/company] to use an automatic update mechanism that it developed a couple years back but had not used until Monday.

Apple spokesman Bill Evans told Reuters that the firm wanted to protect customers as quickly as possible – and indeed, when it was first released on Monday ahead of the automated push, the update was unusually entitled: “Install this update as soon as possible.”

The flaw was discovered by [company]Google[/company] researchers and flagged up by the U.S. government on Friday – it doesn’t just affect Macs, but also systems all the way up to industrial control systems, and the government needed to warn those running critical infrastructure. According to that warning:

These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available…
A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the [NTP daemon] process.

Evans told Reuters that Apple was not aware of any exploitations of the flaw in Macs. The update, which doesn’t require a restart, was released for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1.

This article was updated a couple minutes after initial publication to change the word “forces” in the headline to “leads” — it occurred to me that “forces” sounded unnecessarily harsh, given that the company is trying to protect its users from a vulnerability that wasn’t of its own making.

14 Responses to “Critical flaw leads Apple to push OS X update for first time”

  1. Mac Thing

    No, this one was automatic whether ‘automatic updates’ was enabled or not. I had a (brief, disappearing) Notification that a security update had been installed. I don’t have auto-updates enabled, and it left no record in App Store->Updates-> ‘…installed in the last 30 days’.

  2. Does anyone know how big this fix is? I’d like to know how much of my monthly bandwidth allotment I’m donating to Apple. While it’s good of Apple to move on security issues, not everyone is on an unlimited plan.

  3. lol really? That’s all you got to say about it? The user has no control over it’s own property, Apple has a back door and that doesn’t bother you? It should be a criminal offense what Apple did.