Critical flaw leads Apple to push OS X update for first time

14 Comments

Credit: Apple

Apple has pushed an automatic update to Macs for the first time, in order to fix a critical vulnerability in the network time protocol (NTP), which is used to synchronize computers’ clocks.

The company typically uses its software update mechanism to issue security updates, with users consciously being involved in the process, but this one was extraordinarily urgent, and led [company]Apple[/company] to use an automatic update mechanism that it developed a couple years back but had not used until Monday.

Apple spokesman Bill Evans told Reuters that the firm wanted to protect customers as quickly as possible – and indeed, when it was first released on Monday ahead of the automated push, the update was unusually entitled: “Install this update as soon as possible.”

The flaw was discovered by [company]Google[/company] researchers and flagged up by the U.S. government on Friday – it doesn’t just affect Macs, but also systems all the way up to industrial control systems, and the government needed to warn those running critical infrastructure. According to that warning:

These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available…
A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the [NTP daemon] process.

Evans told Reuters that Apple was not aware of any exploitations of the flaw in Macs. The update, which doesn’t require a restart, was released for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1.

This article was updated a couple minutes after initial publication to change the word “forces” in the headline to “leads” — it occurred to me that “forces” sounded unnecessarily harsh, given that the company is trying to protect its users from a vulnerability that wasn’t of its own making.

14 Comments

Mac Thing

No, this one was automatic whether ‘automatic updates’ was enabled or not. I had a (brief, disappearing) Notification that a security update had been installed. I don’t have auto-updates enabled, and it left no record in App Store->Updates-> ‘…installed in the last 30 days’.

Lighteeper

“Mac Users Protected from Pandemic Exploit?” Naw. Not clicky enough.

Jolly Roger

It’s automatically installed only if you have “Install system data files and security updates” checked in the System Preferences > App Store.

John W

Does anyone know how big this fix is? I’d like to know how much of my monthly bandwidth allotment I’m donating to Apple. While it’s good of Apple to move on security issues, not everyone is on an unlimited plan.

jjj

lol really? That’s all you got to say about it? The user has no control over it’s own property, Apple has a back door and that doesn’t bother you? It should be a criminal offense what Apple did.

jjj

It also means that the entire Mac install base is compromised since Apple doesn’t have the means to stop the US gov from abusing the backdoor, they can just be forced to give them access.

Harvey Lubin

Were they having a sale on tin-foil hats?

It’s not a “conspiracy theory”… It’s paranoia.

(͡° ͜ʖ°)

Comments are closed.