Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Pushes First Automated OS X Security Update

Posted by timothy on from the little-cat-feet dept.

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.

2 of 115 comments (clear)

  1. Re:Put restrict ... noquery in your ntp.conf file by hawkinspeter · · Score: 3, Interesting

    I hadn't spotted the "restrict ... noquery" mitigation (which luckily I already had in place), but wouldn't servers still be susceptible to spoofed packets from one of the trusted servers?

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  2. NTPd is a mess that needs to be replaced by QuietLagoon · · Score: 1, Interesting
    The ntpd source should have been re-architected and rewritten years ago.

    .
    The trouble is the the ntp.org project seems to be more concerned about adding every last neat new feature, and less concerned about the quality of the software they push upon the world.

    It's the openssl fiasco all over again.