If you own a Mac running OS X, it has just downloaded a new security patch. You can be forgiven if you failed to notice: Apple pushed the update without alerting users or asking for their consent. In fact, your system did not even require a restart to implement the patch. The move is a first in Apple history, which normally alerts users and has them actively agree to an upgrade before making the fix.
The update was first reported by Reuters, which spoke to Apple spokesperson Bill Evans. Evans told Reuters that the company chose to handle the update in the way that it did in order to protect consumers as quickly and seamlessly as possible from a pernicious new vulnerability.
Manual Download Also Available
Apple has had the ability to update users’ machines for some time, although it has never used that ability. Evans told Reuters that the scope of the threat to OS X machines was sufficient enough in this case to warrant pushing the update without warning users first. Not every system has received the push update yet, however. Users can also manually download the patch by navigating to the App Store on an OS X device.
The patch addresses a security flaw in the network time protocol (NTP) that was first reported by Google researchers last week. NTP is a protocol that is widely used to synchronize the clocks in servers across networks. Because NTP has high security privileges, it can be exploited by hackers to conduct remote attacks, according to an advisory issued by U.S. officials on Friday. The protocol is a component in Apple’s OS X operating system.
Apple is among several technology companies whose products could be vulnerable to an attack exploiting NTP, according to a security bulletin released by Carnegie Mellon University Software Engineering Institute. However, Evans told Reuters that Apple is not aware of any cases in which its products have successfully been hacked using NTP.
NTP Frequently Used
According to the U.S. Department of Homeland Security, the vulnerability resides in the way NTP manages its stack buffer. The exploit was first discovered by Neel Mehta and Stephen Roettger, two researchers in the Google Security Team.
“Impact to individual organizations depends on many factors that are unique to each organization,” according to the advisory published Friday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a group within the Department of Homeland Security responsible for coordinating responses to threats to critical infrastructure. “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”
This is hardly the first time NTP has been implicated as a vector for hackers. NTP attacks provide hackers with the ability to generate high-volume DDoS (distributed denial of service) traffic to target Web sites or public-facing devices in order to disrupt services. Attacks taking advantage of NTP first began appearing around November 2013. This year, NTP attacks were used in 14 percent of all DDoS attacks in Q1, and 6 percent in Q2.
Posted: 2014-12-24 @ 1:10pm PT
I was notified it was done after the fact, figured there was just cause for Apple to go that invasive, so was grateful it was done. Thanks Apple for looking after us!
Old Mac guy:
Posted: 2014-12-23 @ 11:48am PT
This does not address what one does if one has a Mac still running 10.6.8.