Slashdot Mirror
Apple Pushes First Automated OS X Security Update
PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol:
The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc.
A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.
Really, what's one of those?
If you close all your NTP ports you're not going to be able to sync with a time source on the internet. Once you allow responses to your NTP queries, then you can be spoofed and compromised.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
If you do manual updates you can wait to see if anything is broken before installing them. There is never a need to be the first one to get an update. Let some other poor sucker suffer the slings and arrows of breakage.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
At least it doesn't just reboot you while playing a game.
Or when you turn your computer off you have to wait half an hour for all the updates to be installed.