Apple Pushes First Automated OS X Security Update

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.

It should be noted that...

[carlhaagen]

...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.

Re:It should be noted that...

[Noah+Haders]

Here's how to enable automatic security updates for your http://www.itworld.com/article...

Here's how you can enable automatic app updates in OS X Mavericks. This will save you the time and trouble of updating apps on OS X Mavericks manually.

1. Go to Settings.

2. Go to the App Store.

3. Click the Automatically Check for Updates check box.

4. Click the Install App Updates check box.

Re:It should be noted that...

[suman28]

This is NOT true. I manually install updates on my machine because I do not like anything being installed without my knowledge. This morning, I woke up and opened up MBP. Next thing I know, I noticed a Tray Notification informing me that a Security Update has been installed. I only had one option, which was to close the notification. I was mildly irritated by this without a doubt.

Re:It should be noted that...

[jittles]

...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.

You are incorrect. It automatically installed on three different macs that I own, and I never enable automatic update.

Re:It should be noted that...

[BasilBrush]

...while "automatic", it does not install automatically unless you've enabled automatic software updates.

Not true. I have not enabled automatic updates, and this update for the first time ever, installed all by itself. I got the notification in the top corner, but it was only to say that the security update had been installed. There was no option.

Also affects Linux - patch now!

[hawkinspeter]

This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.

Re:Also affects Linux - patch now!

[sydsavage]

Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.

Re:Also affects Linux - patch now!

[Dr.+Evil]

UDP is stateless.

Given the list of ntp servers is generally known based on your OS type, and the ephermal port range is somewhat limited, it doesn't take a lot to guess the sourceip:sorceport->destip:destport combination which would allow you to spoof a packet which will traverse your firewall. UDP packets are cheap so you can send a lot of them over time and wait until you observe an indicator of compromise.

e.g., 1.rhel.pool.ntp.org:123->victim:[32768-61000]

You can't do this for web browsers because TCP is stateful.

Also note

[OzPeter]

They only update back to Mountain Lion.

Re:Can this be disabled?

[carlhaagen]

Yes, the automatic updating is a controllable setting, and to contrast one detail against Window: In my 9 years of using OS X, it has never done an automatic REBOOT during OS update, no matter if I've had automatic updates enabled or not.

Also

[koan]

You can turn this off in system preferences > app store

Put restrict ... noquery in your ntp.conf file

[ctime]

http: //support.ntp.org/bin/view/Main/SecurityNotice Buffer overflow in ctl_putdata() References: Sec 2668 / CVE - 2014 - 9295 / VU #852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation - any of: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. Put restrict ... noquery in your ntp.conf file, for non-trusted senders. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. w