Apple Pushes First Automated OS X Security Update

← Back to Stories (view on slashdot.org)

Apple Pushes First Automated OS X Security Update

Posted by timothy on Tuesday December 23, 2014 @04:28AM from the little-cat-feet dept.

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.

115 comments

Min score:

Reason:

Sort:

It should be noted that... by carlhaagen · 2014-12-23 04:34 · Score: 4, Informative

...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
1. Re:It should be noted that... by NMBob · 2014-12-23 04:36 · Score: 1
  
  One of my four Macs was set to install things automatically, and I still had to respond to the above stuff manually. I don't know if it would have gotten around to it eventually or not.
2. Re:It should be noted that... by wisnoskij · 2014-12-23 04:44 · Score: 2
  
  So how long has Mac had this, "enable automatic updates" option, without using it? And why not? I imagine they have critical security updates all the time, why would they not automatically push these where enabled?
  
  --
  Troll is not a replacement for I disagree.
3. Re:It should be noted that... by Anonymous Coward · 2014-12-23 04:47 · Score: 0
  
  Is this true? I didn't enable automatic software updates, in fact I've been constantly putting them off until later. However this one was automatically installed.
4. Re:It should be noted that... by Anonymous Coward · 2014-12-23 04:52 · Score: 2, Funny
  
  Unlike Linux, there are almost never security updates for OS X, because OS X is secure.
5. Re:It should be noted that... by Anonymous Coward · 2014-12-23 05:03 · Score: 0
  
  Yup, it is no different than before as far as I can tell. BTW, the NTP update installs in about 5 seconds.
6. Re:It should be noted that... by Anonymous Coward · 2014-12-23 05:05 · Score: 1
  
  Except that little icon in the corner is actually Software Update launching with a not-small window that also steals focus.
7. Re:It should be noted that... by Anonymous Coward · 2014-12-23 05:21 · Score: 3, Insightful
  
  At least it doesn't just reboot you while playing a game.
  Or when you turn your computer off you have to wait half an hour for all the updates to be installed.
8. Re:It should be noted that... by Noah+Haders · 2014-12-23 06:11 · Score: 4, Informative
  
  Here's how to enable automatic security updates for your http://www.itworld.com/article...
  Here's how you can enable automatic app updates in OS X Mavericks. This will save you the time and trouble of updating apps on OS X Mavericks manually.
  1. Go to Settings.
  2. Go to the App Store.
  3. Click the Automatically Check for Updates check box.
  4. Click the Install App Updates check box.
9. Re:It should be noted that... by suman28 · 2014-12-23 07:05 · Score: 4, Informative
  
  This is NOT true. I manually install updates on my machine because I do not like anything being installed without my knowledge. This morning, I woke up and opened up MBP. Next thing I know, I noticed a Tray Notification informing me that a Security Update has been installed. I only had one option, which was to close the notification. I was mildly irritated by this without a doubt.
10. Re:It should be noted that... by BitZtream · 2014-12-23 07:41 · Score: 2
  
  First off, it didn't automatically install, it just downloaded a tiny patch that probably takes more traffic to request the download than the download itself. The news around this is BS.
  In order for automatic updates to be installed on their own, you have to enable automatic updates, like every other sane setup on the planet, by default.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
11. Re:It should be noted that... by jittles · 2014-12-23 07:58 · Score: 3, Informative
  
  ...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
  You are incorrect. It automatically installed on three different macs that I own, and I never enable automatic update.
12. Re:It should be noted that... by Anonymous Coward · 2014-12-23 09:30 · Score: 0
  
  Having people install Windows updates is pretty much a matter of "virtual public safety," since those unpatched machines will be used to attack other systems. When people had some control over them, they wouldn't install it. And if you know enough to care about this, you can disable it.
  
  Also, as of Windows 8 the restart prompt will only appear after 3 days and it's no longer automatic if the computer is not idle.
13. Re:It should be noted that... by BasilBrush · 2014-12-23 09:56 · Score: 2, Informative
  
  ...while "automatic", it does not install automatically unless you've enabled automatic software updates.
  Not true. I have not enabled automatic updates, and this update for the first time ever, installed all by itself. I got the notification in the top corner, but it was only to say that the security update had been installed. There was no option.
14. Re:It should be noted that... by BasilBrush · 2014-12-23 09:59 · Score: 0
  
  What you assume is incorrect. Automatic updates are not enabled on my Mac, and this update was the first ever that installed all by itself, merely notifying me after it had done so.
15. Re:It should be noted that... by Jayfar · 2014-12-23 11:36 · Score: 1
  
  What you assume is incorrect. Automatic updates are not enabled on my Mac, and this update was the first ever that installed all by itself, merely notifying me after it had done so.
  It installed automatically on my Mavericks machine with a notification afterwards. The option I have checked that allowed it is: System Preferences -> App Store -> and checkbox "Install system data files and security updates"
16. Re:It should be noted that... by Anonymous Coward · 2014-12-23 12:03 · Score: 0
  
  Pretty sure OS-X is based on BSD.... Does that imply that you are better off with BSD then?
  Maybe you should check the source and find out there have been a number of security updates available released.
  http://support.apple.com/en-us...
17. Re:It should be noted that... by Anonymous Coward · 2014-12-23 12:23 · Score: 0
  
  Mine is sitting at the top of my update list with a heading that says "Install this update as soon as possible", and is waiting for me to click the update button - so I'm going to assume that you have automatic updates turned on (perhaps only for security updates) and don't realise it.
18. Re:It should be noted that... by mrsquid0 · 2014-12-23 13:50 · Score: 4, Funny
  
  Not only is OS X secure, it is perfect and is the only door to nirvana.
  
  --
  Just because you are paranoid does not mean that no-one is out to get you.
19. Re:It should be noted that... by lolocaust · 2014-12-23 21:09 · Score: 1
  
  I saw the notification yesterday and thought that I had some kind of malware. There's no record of it in the update history either, which would have been helpful.
  
  I'm still pretty irritated that the update was installed without my knowledge, since I depend on my computer to be stable for my day to day work and can't afford any downtime with a botched update (which has happened before).
  
  --
  Why does my post history abruptly stop? I want to laugh at the stupid things I posted as a kid.
20. Re:It should be noted that... by Gr8Apes · 2014-12-24 01:04 · Score: 1
  
  Automatically on Yosemite, turns out that install system and security updates was checked. No more. I don't like things happening to my system automatically.
  
  --
  The cesspool just got a check and balance.
21. Re:It should be noted that... by Anonymous Coward · 2014-12-24 14:51 · Score: 0
  
  My work laptop updated just like that, but my personal hasn't. I have no automatic updates on either, though I'm not 100% on the work laptop settings.
Also affects Linux - patch now! by hawkinspeter · 2014-12-23 04:36 · Score: 5, Informative

This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.

--
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
1. Re:Also affects Linux - patch now! by Imagix · 2014-12-23 04:37 · Score: 1
  
  While yes, patch your servers.... but do you really have your NTP port exposed to the world? Ever hear of a firewall?
2. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 04:40 · Score: 1, Insightful
  
  Really, what's one of those?
  
  If you close all your NTP ports you're not going to be able to sync with a time source on the internet. Once you allow responses to your NTP queries, then you can be spoofed and compromised.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
3. Re:Also affects Linux - patch now! by the_B0fh · 2014-12-23 04:48 · Score: 2
  
  Anyone running a network of any significant size should have their own time servers. Anyone running Active Directory should have their own time servers.
  So, it *is* reasonable to firewall that off in a network of any significant size.
4. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 04:54 · Score: 2
  
  Yes, but often the easiest way to set up a time server is to sync with a time server on the internet (e.g. ntp.pool org). As far as I can tell, a big reason for people to use NTP is that they don't have a reliable atomic clock of their own, so they sync with other people who do.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
5. Re:Also affects Linux - patch now! by sydsavage · 2014-12-23 05:04 · Score: 5, Informative
  
  Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.
6. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 05:11 · Score: 1
  
  Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
7. Re:Also affects Linux - patch now! by Dr.+Evil · 2014-12-23 05:51 · Score: 4, Informative
  
  UDP is stateless.
  Given the list of ntp servers is generally known based on your OS type, and the ephermal port range is somewhat limited, it doesn't take a lot to guess the sourceip:sorceport->destip:destport combination which would allow you to spoof a packet which will traverse your firewall. UDP packets are cheap so you can send a lot of them over time and wait until you observe an indicator of compromise.
  e.g., 1.rhel.pool.ntp.org:123->victim:[32768-61000]
  You can't do this for web browsers because TCP is stateful.
8. Re:Also affects Linux - patch now! by Anonymous Coward · 2014-12-23 05:59 · Score: 1
  
  Translation of parent post: "OK, what I said earlier was wrong, but instead of just saying so I'm going to backpedal and try to find some shred of sense in it. Never mind that it requires an attacker to have seized control of the time server so that he could "spoof" a response. And also never mind that that wouldn't be a spoof."
9. Re:Also affects Linux - patch now! by jeffmeden · 2014-12-23 06:01 · Score: 2
  
  Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
  From the description of the bugs, they are related to a server being queried and not related to the expected response. So, only when running ntpd as an internet-facing daemon do you have a problem. It's also a much more convoluted attack to spoof a response from a time server, assuming the attacker hasn't used the vulnerability to take control of the one you happen to be using. Since these vulnerabilities are not in a configuration a reputable time server is likely to use (i.e. the NIST servers) the general public is pretty safe.
10. Re:Also affects Linux - patch now! by Anonymous Coward · 2014-12-23 06:31 · Score: 1
  
  There are time devices that are GPS based, for this very reason. No need to connect over the Internet, no need for an atomic clock.
11. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 06:44 · Score: 1
  
  That's reassuring, but I wonder why Apple have rushed out this update. How many OSX users run a public NTP server?
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
12. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 06:52 · Score: 2
  
  I believe this is made easier as NTPd sends from port 123 whereas openNTP uses a random port.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
13. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 06:57 · Score: 1
  
  Thanks for your translation, it's most helpful. I don't see why you need to seize control of a server to spoof a response as spoofing implies that you're faking the response so it looks like it's come from the respective server.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
14. Re:Also affects Linux - patch now! by rubycodez · 2014-12-23 07:04 · Score: 1
  
  ever heard of employees so incompetent with computers exposing servers to them is worse than exposing to internet?
  "we has met the enemy, and they is us" - Pogo
15. Re:Also affects Linux - patch now! by virtual_mps · 2014-12-23 07:10 · Score: 2
  
  Firewalls which do stateful inspection of NTP conversations are exceedingly rare. So if you follow the normal practice and have a "stateful" UDP port open on the firewall to a given external NTP server, it's not possible for the firewall to distinguish between a response packet from the external NTP server and a query packet spoofed to appear to be originating from the external NTP server. That is, a client will be potentially vulnerable to spoofed packets from any IP it uses as a server.
16. Re:Also affects Linux - patch now! by virtual_mps · 2014-12-23 07:11 · Score: 2
  
  Note that most machines running OSX would be vulnerable to spoofed packets from the same IP (the apple NTP server)...
17. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 07:28 · Score: 1
  
  I'd always thought they were expensive, specialist devices, but it looks like you can get pci express cards for laptops quite cheaply. I'd imagine you'd want to position the aerial outside of a server room though.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
18. Re:Also affects Linux - patch now! by the_B0fh · 2014-12-23 07:30 · Score: 1
  
  Exactly. Buy it, pop it on the network, give it a DNS name, and update your GPO or puppet.conf and you're done.
19. Re: Also affects Linux - patch now! by corychristison · 2014-12-23 07:52 · Score: 1
  
  I removed openNTP and installed tlsdate on my systems. I recommend looking into it.
20. Re:Also affects Linux - patch now! by Paradise+Pete · 2014-12-23 16:53 · Score: 1
  
  How would they do that? You created the connection to the proper server. They are not connecting to you, so there's no spoofing.
21. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 20:43 · Score: 1
  
  As it's stateless UDP, there's not much of a connection to the proper server. All you need to do is send the appropriate source and destination ports and IP address and you're good. It would involve waiting for an outgoing request and then sending spoofed packets that look like they are a reply. The one with the right ports will be allowed through the firewall as it looks like a reply.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
FFS by koan · 2014-12-23 04:36 · Score: 1

What else can they "push"...

--
"If any question why we died, Tell them because our fathers lied."
1. Re:FFS by Anonymous Coward · 2014-12-23 04:47 · Score: 0
  
  So it's okay in your book for hackers to push malware onto people's computers, but it's not okay for Apple to push fixes? Yeeeeeah.
2. Re:FFS by rubycodez · 2014-12-23 07:07 · Score: 1
  
  Apple can't push anything without user opting-in to auto updates. I didn't so received notification of update I had to manually install
3. Re:FFS by koan · 2014-12-23 07:25 · Score: 1
  
  That involves trusting Apple, I'm not doing that after all the things we have seen over the years.
  
  --
  "If any question why we died, Tell them because our fathers lied."
4. Re:FFS by BasilBrush · 2014-12-23 10:04 · Score: 1, Flamebait
  
  Apple can't push anything without user opting-in to auto updates.
  As multiple people are reporting, they can, and are as of this update. Your assumption is wrong.
5. Re:FFS by reikae · 2014-12-23 10:36 · Score: 1
  
  But in that case you're probably not running OS X anyway, so the automatic updates are a moot point.
6. Re:FFS by rubycodez · 2014-12-23 10:39 · Score: 1
  
  wrong, those are just shit-heads who forgot they answered "yes" when installing. The typical kind of lowlife that consume 95% of an IT department's time
7. Re:FFS by jbolden · 2014-12-23 11:30 · Score: 1
  
  Anything they want. Apple is trusted by its customers and uses this mechanism rarely as the lead mentioned. 2 years and this is the first time.
8. Re:FFS by koan · 2014-12-23 11:31 · Score: 1
  
  That's a nonsense point, the question is "Can Apple push whatever they want?" Not "Do I use OS X"
  and the answer is "We don't know, and they can not be trusted"
  This same question can be asked of Google, Microsoft and Linux (Redhat, Ubuntu) as well.
  If you don't think they are complicit with the US (and other nations) security agencies that's your right to believe that.
  IMO The evidence today shows they are, and the only thing they worry about is dependability.
  "they" being Apple/Google/Microsoft complex.
  
  --
  "If any question why we died, Tell them because our fathers lied."
9. Re:FFS by koan · 2014-12-23 11:33 · Score: 1
  
  Apple is trusted by its customers
  Why? Why would you ever trust a company like Apple, or for that matter Google or Microsoft, why is trust even on the table?
  Because the truth is you simply can not trust these corporations, they have shown that multiple times.
  
  --
  "If any question why we died, Tell them because our fathers lied."
10. Re:FFS by jbolden · 2014-12-23 11:35 · Score: 1
  
  There are two settings:
  Allow updates automatically
  Install system data files and security updates
  The 2nd is different from the 1st. The 2nd is what this went across as while most updates use the first mechanism.
11. Re:FFS by jbolden · 2014-12-23 13:17 · Score: 1
  
  Why? Why would you ever trust a company like Apple
  
  History and an alignment of interests. You have to trust somewhere, life is simply too complex to do everything yourself. So you put faith where it is warranted and then verify when easy.
  
  Because the truth is you simply can not trust these corporations, they have shown that multiple times.
  
  I don't see that with Apple. I don't trust them not to overcharge me for hardware. I do trust them to mostly have my best interests at heart in using their stuff because that has been their established pattern.
12. Re:FFS by koan · 2014-12-23 14:13 · Score: 1
  
  For trust to enter into your relationship with Apple shows how poorly you approach the relationship, that's why there are business contracts, that's why there are warranties, because "trust" should never be an issue that needs discussing, for the simple reason they can not be trusted without their having a sense of "loss of profit".
  Your "dissatisfaction" wouldn't enter into it if they thought they could continue to make money.
  You trust people you know face to face, you do not trust a corporation with a history of poor security, slave labor, financial fraud, tax evasion, personal data accumulation of customers for resell and customer manipulation, and interaction with governmental agencies that is ethically dubious at best.
  Why would they ever have *your* best interest at heart? After everything I've mentioned above, that can easily be Googled and verified, it should be very clear they do not have your best interest at heart.
  They have your money at heart.
  
  --
  "If any question why we died, Tell them because our fathers lied."
13. Re:FFS by reikae · 2014-12-23 19:55 · Score: 1
  
  Why is it nonsense? I don't think updates require significantly more trust in a vendor than using their operating system in the first place does. If they wanted to push in any way malicious updates, they could have built in a way to bypass the normal update mechanism altogether or hide it in a Trojan horse.
14. Re:FFS by BasilBrush · 2014-12-24 02:39 · Score: 1, Troll
  
  Yeah. Looks like the second appeared in Mountain Lion, and the default was ticked, even though "Allow updates automatically" wasn't.
  So most people who have had "Allow updates automatically" unchecked for years won't have ever seen the newer option.
  I'm not complaining. But some people will have room to do so.
15. Re:FFS by koan · 2014-12-24 06:21 · Score: 1
  
  Dependability should be deniability.
  Interesting there is no correct spelling offered for "deniability" even though it's underlined.
  
  --
  "If any question why we died, Tell them because our fathers lied."
16. Re:FFS by koan · 2014-12-24 06:26 · Score: 1
  
  they could have built in a way to bypass the normal update mechanism altogether or hide it in a Trojan horse.
  What makes you think they haven't?
  Why do you trust them?
  
  --
  "If any question why we died, Tell them because our fathers lied."
17. Re:FFS by reikae · 2014-12-24 10:23 · Score: 1
  
  I suppose I misunderstood your first post I replied to. I thought you meant you wouldn't want to install updates because you don't trust Apple and I was curious why, in that case, would you trust OS X in the first place.
  I don't use a Mac myself, so let's swap Microsoft in there instead. I think it's not entirely unlikely that they would be able to install updates without prompting me in any way, if it was in their interest. Usefulness of the system outweighs the likelihood of them screwing me over, hence I continue to run Windows for the time being.
Can this be disabled? by smooth+wombat · 2014-12-23 04:36 · Score: 1

How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.
Can this auto-update be turned off or changed to manual?

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
1. Re:Can this be disabled? by carlhaagen · 2014-12-23 04:39 · Score: 5, Informative
  
  Yes, the automatic updating is a controllable setting, and to contrast one detail against Window: In my 9 years of using OS X, it has never done an automatic REBOOT during OS update, no matter if I've had automatic updates enabled or not.
2. Re:Can this be disabled? by wisnoskij · 2014-12-23 04:45 · Score: 1
  
  They would fo gotten in trouble either way. Unless you are suggesting that the average user never install any security updates?
  
  --
  Troll is not a replacement for I disagree.
3. Re:Can this be disabled? by XxtraLarGe · 2014-12-23 04:48 · Score: 2
  
  How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.
  
  Can this auto-update be turned off or changed to manual?
  Yes, but the system is opt-in, not opt-out. I always wait for a few days before updating, just to see if there are any problems reported. This helped me to miss out on some doozies. Thankfully, I saw the report on the latest Microsoft update before running it on my work machine.
  
  --
  Taking guns away from the 99% gives the 1% 100% of the power.
4. Re:Can this be disabled? by smooth+wombat · 2014-12-23 04:54 · Score: 4, Insightful
  
  If you do manual updates you can wait to see if anything is broken before installing them. There is never a need to be the first one to get an update. Let some other poor sucker suffer the slings and arrows of breakage.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
5. Re:Can this be disabled? by Anonymous Coward · 2014-12-23 05:58 · Score: 0
  
  t has never done an automatic REBOOT during OS update
  Lol.. that just means it replaced the files on disk.
  You've been running with the vulnerable libraries/executable loaded in memory until you restarted the OS or whatever program loaded those files.
  Good job Apple ! .. TBH .. most mainstream Linux distros also have this shitty way of (non) updating by default.
6. Re:Can this be disabled? by Guy+Harris · 2014-12-23 07:26 · Score: 2
  
  t has never done an automatic REBOOT during OS update
  Lol.. that just means it replaced the files on disk.
  You've been running with the vulnerable libraries/executable loaded in memory until you restarted the OS or whatever program loaded those files.
  At least on the machines in our household (Mountain Lion and Mavericks), NTPD was restarted as part of the update process, without an OS reboot.
7. Re:Can this be disabled? by hackertourist · 2014-12-23 09:25 · Score: 1
  
  It is infinitely preferable to the Windows way of doing things, where the update process can basically say (using the default settings) 'Fuck you and your open documents, we're going to reboot NOW'. The mind boggles at the level of disrespect that shows.
  Can things be improved? Probably. But until they are, I prefer the OS that lets me reboot on MY schedule.
8. Re:Can this be disabled? by Anonymous Coward · 2014-12-23 20:26 · Score: 0
  
  This has *NEVER* happened to a single person who has installed Windows with the default settings. Windows never reboots by crashing programs and it never reboots without first giving you a way to save your work. Post a bug repro.. go ahead, I dare you.
  (1) Either you are stupid and you fucked up your windows settings
  (2) your network admin is stupid and fucked up your windows settings.
  Either way, its painfully obvious you're a non-technical user with limited understanding of your OS. If my OS randomly started rebooting without warning I'd have that shit diagnosed before ever touching it.
Change log? by DigiShaman · 2014-12-23 04:37 · Score: 2

Is that what that is?! I just saw a pop-up telling me an OS X update applied when I returned to my desk. Curious, I checked the updates and didn't seen anything new installed today. I figured it was some malware clickbait popup that came and went from inactivity on my end.

--
Life is not for the lazy.
1. Re:Change log? by Anonymous Coward · 2014-12-23 04:56 · Score: 0
  
  It's badly done by Apple if it can give the impression that something spurious is happening on the computer.
2. Re:Change log? by Anonymous Coward · 2014-12-23 05:11 · Score: 1
  
  Same here.
  Popup without ANY indication what was installed or why.
  No mention of anything in AppStore Update history either.
  They do that already for regular security updates.
  Why not for the auto-pushed one ?
  At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.
3. Re:Change log? by rwyoder · 2014-12-23 08:49 · Score: 1
  
  Is that what that is?! I just saw a pop-up telling me an OS X update applied when I returned to my desk. Curious, I checked the updates and didn't seen anything new installed today. I figured it was some malware clickbait popup that came and went from inactivity on my end.
  Same thing happened to me.
  I have the App Store setting configured to *download*, but *not* install automatically.
  It installed anyway.
  I verified it by checking the version of the ntpd binary.
  And the App Store update tab does *not* show it was installed.
  So I went to another Mac, booted it, and immediately brought up App Store updates.
  It showed the update, and I selected it for installation.
  On that Mac it now *does* show the update is installed.
  This is broken behavior.
4. Re:Change log? by rwyoder · 2014-12-23 08:53 · Score: 1
  
  I just noticed something: While I have "Install OXS X updates" set to off, there is another checkbox for "Install system data files and security updates" which was checked. That must be why it installed automatically. But the fact the App Store updates does not show it installed it still lame.
5. Re:Change log? by Anonymous Coward · 2014-12-23 09:58 · Score: 0
  
  It just installed the OSX updates on my Timex-Sinclair, so YMMV.
6. Re:Change log? by Jayfar · 2014-12-23 12:00 · Score: 2
  
  Same here.
  Popup without ANY indication what was installed or why.
  No mention of anything in AppStore Update history either.
  They do that already for regular security updates.
  Why not for the auto-pushed one ?
  At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.
  I agree. You can find the install info, but not in the App Store where you'd expect to see it.
  About this Mac -> More Info (opens System Info) - under Software, click on Installations, then click on the Install Date header to sort.
Also note by OzPeter · 2014-12-23 04:37 · Score: 4, Informative

They only update back to Mountain Lion.

--
I am Slashdot. Are you Slashdot as well?
1. Re:Also note by armanox · 2014-12-23 06:27 · Score: 1
  
  Just noticed that my MacBook running Lion didn't get it....
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
2. Re:Also note by Anonymous Coward · 2014-12-23 07:57 · Score: 0
  
  Yep, just noticed this when I checked my older machine. Lame. Plenty of good machines out there are capped out at Lion.
  Also, the Yosemite update appears to require 10.10.1. Blah. I'll bet anything ntpd didn't change between 10.10.0 and 10.10.1, so there's probably no reason why this couldn't apply to both. Guess I'll finally have to update to 10.10.1 and force a reboot (while hoping nothing breaks; 10.10.0 has been surprisingly stable). :(
3. Re:Also note by Smurf · 2014-12-27 07:38 · Score: 1
  
  They only update back to Mountain Lion.
  True. You can nevertheless patch older versions of OS X manually.
4. Re:Also note by Smurf · 2014-12-27 07:39 · Score: 1
  
  You will have to patch your system manually.
5. Re:Also note by armanox · 2014-12-27 08:54 · Score: 1
  
  The beauty of open source.
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
Also by koan · 2014-12-23 04:39 · Score: 3, Informative

You can turn this off in system preferences > app store

--
"If any question why we died, Tell them because our fathers lied."
Put restrict ... noquery in your ntp.conf file by ctime · 2014-12-23 04:41 · Score: 4, Informative

http: //support.ntp.org/bin/view/Main/SecurityNotice Buffer overflow in ctl_putdata() References: Sec 2668 / CVE - 2014 - 9295 / VU #852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation - any of: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. Put restrict ... noquery in your ntp.conf file, for non-trusted senders. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. w
1. Re:Put restrict ... noquery in your ntp.conf file by hawkinspeter · 2014-12-23 04:46 · Score: 3, Interesting
  
  I hadn't spotted the "restrict ... noquery" mitigation (which luckily I already had in place), but wouldn't servers still be susceptible to spoofed packets from one of the trusted servers?
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
FFS by Anonymous Coward · 2014-12-23 04:47 · Score: 0

Your mom off the bridge, bitch.
Yes, but one every two years. Christmas vacation by raymorris · 2014-12-23 05:06 · Score: 0

Though it can be disabled, the folks at Apple seem to have been VERY conservative about which updates they mark as "automatic" - only this one update in two years. All other updates have been released as needing user approval first.
So by having it on, you are NOT subjecting yourself to the same level of crap as Windows users who automatically install all sorts of random updates every single month. You're only getting the most critical updates, one small update every couple of years.
I came in to work this morning, my last (half) day of work before leaving for a two week vacation, to find that my Mac had automatically handled done this update. I very nearly skipped this last half-day of work. Had I done that, and had "allow automatic updates" turned off, my machine would have been been vulnerable for two weeks until I came back. I'm glad this one was automatically installed, while al of the other lower-priority updates have always awaited my approval.
NTPd is a mess that needs to be replaced by QuietLagoon · 2014-12-23 05:20 · Score: 1, Interesting

The ntpd source should have been re-architected and rewritten years ago.
.
The trouble is the the ntp.org project seems to be more concerned about adding every last neat new feature, and less concerned about the quality of the software they push upon the world.
It's the openssl fiasco all over again.
1. Re:NTPd is a mess that needs to be replaced by stox · 2014-12-23 05:23 · Score: 1
  
  Which is why PHK just released ntimed.
  
  --
  "To those who are overly cautious, everything is impossible. "
2. Re:NTPd is a mess that needs to be replaced by rubycodez · 2014-12-23 07:08 · Score: 1
  
  yeah openbsd project noticed that a decade ago: http://www.openntpd.org/
3. Re:NTPd is a mess that needs to be replaced by virtual_mps · 2014-12-23 07:21 · Score: 1
  
  The NTP people are generally more concerned about accurate & precise network time than about security. If security is your goal (and you're willing to compromise on highly accurate time) you're almost certainly better off with a SNTP solution intended to be simple and secure.
4. Re:NTPd is a mess that needs to be replaced by QuietLagoon · 2014-12-23 08:13 · Score: 1
  
  Let me fix that typo for you...
  .
  The NTP people are generally more concerned about accurate & precise network time than about code quality or security.
5. Re:NTPd is a mess that needs to be replaced by virtual_mps · 2014-12-23 09:45 · Score: 1
  
  You can add a petty subjective clause if you want to, but the point remains--choose the tool that's right for the job you're trying to do.
  And crap code or not, it's probably keeping more accurate time than the NTP server that you wrote. ;-)
6. Re:NTPd is a mess that needs to be replaced by Anonymous Coward · 2014-12-23 15:24 · Score: 0
  
  And in another 5 years, they might release an update to OpenNTPD portable. It's many versions back from the native OpenBSD version at this point. I say this as a vendor why SHIPS OpenNTPD with my system and I'm not even listed on the OpenNTPD site as a platform.
7. Re:NTPd is a mess that needs to be replaced by QuietLagoon · 2014-12-24 02:30 · Score: 1
  
  You can add a petty subjective clause if you want to...
  I don't consider code quality to be a petty thing.
  .
  I have not written a NTP server.
8. Re:NTPd is a mess that needs to be replaced by rubycodez · 2014-12-24 04:03 · Score: 0
  
  no newer release because it is mature software
  If you want the latest version, that's inside openbsd, why not use an OS in your product that has emphasis on robustness, security and correctness (to specs and in algorithms used) ?
Fuck forums sliders by Anonymous Coward · 2014-12-23 05:28 · Score: 0

Fuck forums sliders
How about they fix 10.10.1 first? by Lumpy · 2014-12-23 06:13 · Score: 0

a large number of people cant install 10.10.1 as it stops at "about 4 minutes remaining" and just sits there for days. Apple refuses to acknowlege the problem or offer a solution.

--
Do not look at laser with remaining good eye.
1. Re:How about they fix 10.10.1 first? by Anonymous Coward · 2014-12-23 08:25 · Score: 1
  
  The same thing happened for some people installing 10.10.0. Your network is broke. Fix your router, your AV/firewall software, your proxy server that is caching the incomplete download or go to an Apple Store or a local coffee shop and download from their network; it takes about 20 minutes.
  If nothing else, download the complete standalone installer and update via that:
  http://support.apple.com/kb/DL1779?viewlocale=en_US&locale=en_US
  There are lots and lots of solutions available for people that bother to ask...
2. Re:How about they fix 10.10.1 first? by antdude · 2014-12-23 17:20 · Score: 1
  
  It was a major security fix. 10.10.1 is not a security issue.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
3. Re:How about they fix 10.10.1 first? by Anonymous Coward · 2014-12-25 09:29 · Score: 0
  
  And you are 100% wrong. Try again moron. Oh and you forgot " you are holding it wrong"
  10.10.1 is broke as fuck, and apple does not give a shit. Their quality has went into the toilet.
Ummmm... About twice in 16 years by Sycraft-fu · 2014-12-23 06:22 · Score: 1

In my time in IT, that's what I've seen. There was an update to the 3com 905 drivers back in the day that BSOD's systems, since then there have been more rigorous driver testing. After that there was the recent Windows 7 update that had a problem on some systems. We didn't see any issues on any of our some 400 Windows 7 systems, but I did verify it was real. MS rolled it back with another automated patch.
Oh and I suppose XP SP3 though that wasn't automatic, and the only systems it "broke" were ones with Malware infections so I hardly count that.
So... ya... Personally, I'll take an issue ever decade or so in trade for having a system that it up to date. However, if you'd rather not patch your stuff go ahead, just don't do it on my network, I'll block you.
OS X Server? Nope by psydeshow · 2014-12-23 07:02 · Score: 1

Is my MacBook really running an ntp daemon? Huh, yes it is:
$ ps ax | grep ntp
32950 ?? Ss 0:00.26 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
How about that. When I first read this, I kinda figured it only applied to OS X server, and that on a normal Mac there would just be a periodic script that updates the clock via ntpdate. But it makes sense to have a daemon running, clock has to be accurate on wake to access network shares and the like.
Re:Yes, but one every two years. Christmas vacatio by kybred · 2014-12-23 07:25 · Score: 1

Had I done that, and had "allow automatic updates" turned off, my machine would have been been vulnerable for two weeks until I came back. I'm glad this one was automatically installed, while al of the other lower-priority updates have always awaited my approval.
I would imagine that the timing of this is one reason why it was pushed this way. As you point out, a lot of machines would be unattended until after New Year's and would be patched until then.
Patch Monday for OSX... by Anonymous Coward · 2014-12-23 08:08 · Score: 0

Windows has patch tuesday...welcome to having a popular OS.
credit card by TheSHAD0W · 2014-12-23 08:11 · Score: 0

I haven't updated to 10.10 yet, because they demand my credit card information for the "free" update; I refuse to put it into their system, even temporarily.
1. Re:credit card by Anonymous Coward · 2014-12-23 08:27 · Score: 0
  
  Create an iTunes Store, App Store, or iBooks Store account without a credit card or other payment method - http://support.apple.com/en-us/HT204034
Safari 8.0.2 and Slashdot by rwa2 · 2014-12-23 08:21 · Score: 1

I suppose this thread is as as close as I'll get... Anyone else have high CPU displaying Slashdot on Safari?
I usually keep /. open all day in a tab, but lately I've occasionally been getting /. tabs burning through all of my CPU on some tabs, according to ActivityMonitor. I assume it has something to do with the new ads, since it's intermittent, but it's been difficult to flag exactly which ad content has been causing this. Just updated to Safari 8.0.2 this morning, and it's still occurring.
Usually use Safari instead of Chrome since the battery life is supposedly better, but certainly not with this issue :P But at this point, I'd sooner stop keeping /. open than change browsers. :/
1. Re:Safari 8.0.2 and Slashdot by rwa2 · 2014-12-23 08:27 · Score: 1
  
  BTW, I just checked my Safari Power Saver settings, so it's not that...
  http://mac-fusion.com/manage-t...
  (I only have plugins enabled on Youtube and SpeedTest.net)
Not true by jbolden · 2014-12-23 11:28 · Score: 2

I don't have automatic updates installed. I like to decide on the when. It installed and just notified me of the installation. Worked as intended.
Apple Pushes First Automated OS X Security Update by janenichols · 2014-12-23 22:25 · Score: 1

Vulnerabilities are low, I read that the update is about a component of the OS which relates to network time protocol (NTP), which is used for synchronizing clocks on computer systems...So updates need not matter..
Auto Updates Are a Security Breach by Anonymous Coward · 2014-12-24 02:25 · Score: 0

Stay out out my damn computer! If you can modify my computer for this, what's stopping you from removing ebooks from my library? Just provide the updates & I'll install them myself.