Apple Pushes First Automated OS X Security Update

← Back to Stories (view on slashdot.org)

Apple Pushes First Automated OS X Security Update

Posted by timothy on Tuesday December 23, 2014 @04:28AM from the little-cat-feet dept.

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.

30 of 115 comments (clear)

Min score:

Reason:

Sort:

It should be noted that... by carlhaagen · 2014-12-23 04:34 · Score: 4, Informative

...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
1. Re:It should be noted that... by wisnoskij · 2014-12-23 04:44 · Score: 2
  
  So how long has Mac had this, "enable automatic updates" option, without using it? And why not? I imagine they have critical security updates all the time, why would they not automatically push these where enabled?
  
  --
  Troll is not a replacement for I disagree.
2. Re:It should be noted that... by Anonymous Coward · 2014-12-23 04:52 · Score: 2, Funny
  
  Unlike Linux, there are almost never security updates for OS X, because OS X is secure.
3. Re:It should be noted that... by Anonymous Coward · 2014-12-23 05:21 · Score: 3, Insightful
  
  At least it doesn't just reboot you while playing a game.
  Or when you turn your computer off you have to wait half an hour for all the updates to be installed.
4. Re:It should be noted that... by Noah+Haders · 2014-12-23 06:11 · Score: 4, Informative
  
  Here's how to enable automatic security updates for your http://www.itworld.com/article...
  Here's how you can enable automatic app updates in OS X Mavericks. This will save you the time and trouble of updating apps on OS X Mavericks manually.
  1. Go to Settings.
  2. Go to the App Store.
  3. Click the Automatically Check for Updates check box.
  4. Click the Install App Updates check box.
5. Re:It should be noted that... by suman28 · 2014-12-23 07:05 · Score: 4, Informative
  
  This is NOT true. I manually install updates on my machine because I do not like anything being installed without my knowledge. This morning, I woke up and opened up MBP. Next thing I know, I noticed a Tray Notification informing me that a Security Update has been installed. I only had one option, which was to close the notification. I was mildly irritated by this without a doubt.
6. Re:It should be noted that... by BitZtream · 2014-12-23 07:41 · Score: 2
  
  First off, it didn't automatically install, it just downloaded a tiny patch that probably takes more traffic to request the download than the download itself. The news around this is BS.
  In order for automatic updates to be installed on their own, you have to enable automatic updates, like every other sane setup on the planet, by default.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
7. Re:It should be noted that... by jittles · 2014-12-23 07:58 · Score: 3, Informative
  
  ...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
  You are incorrect. It automatically installed on three different macs that I own, and I never enable automatic update.
8. Re:It should be noted that... by BasilBrush · 2014-12-23 09:56 · Score: 2, Informative
  
  ...while "automatic", it does not install automatically unless you've enabled automatic software updates.
  Not true. I have not enabled automatic updates, and this update for the first time ever, installed all by itself. I got the notification in the top corner, but it was only to say that the security update had been installed. There was no option.
9. Re:It should be noted that... by mrsquid0 · 2014-12-23 13:50 · Score: 4, Funny
  
  Not only is OS X secure, it is perfect and is the only door to nirvana.
  
  --
  Just because you are paranoid does not mean that no-one is out to get you.
Also affects Linux - patch now! by hawkinspeter · 2014-12-23 04:36 · Score: 5, Informative

This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.

--
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
1. Re:Also affects Linux - patch now! by the_B0fh · 2014-12-23 04:48 · Score: 2
  
  Anyone running a network of any significant size should have their own time servers. Anyone running Active Directory should have their own time servers.
  So, it *is* reasonable to firewall that off in a network of any significant size.
2. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 04:54 · Score: 2
  
  Yes, but often the easiest way to set up a time server is to sync with a time server on the internet (e.g. ntp.pool org). As far as I can tell, a big reason for people to use NTP is that they don't have a reliable atomic clock of their own, so they sync with other people who do.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
3. Re:Also affects Linux - patch now! by sydsavage · 2014-12-23 05:04 · Score: 5, Informative
  
  Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.
4. Re:Also affects Linux - patch now! by Dr.+Evil · 2014-12-23 05:51 · Score: 4, Informative
  
  UDP is stateless.
  Given the list of ntp servers is generally known based on your OS type, and the ephermal port range is somewhat limited, it doesn't take a lot to guess the sourceip:sorceport->destip:destport combination which would allow you to spoof a packet which will traverse your firewall. UDP packets are cheap so you can send a lot of them over time and wait until you observe an indicator of compromise.
  e.g., 1.rhel.pool.ntp.org:123->victim:[32768-61000]
  You can't do this for web browsers because TCP is stateful.
5. Re:Also affects Linux - patch now! by jeffmeden · 2014-12-23 06:01 · Score: 2
  
  Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
  From the description of the bugs, they are related to a server being queried and not related to the expected response. So, only when running ntpd as an internet-facing daemon do you have a problem. It's also a much more convoluted attack to spoof a response from a time server, assuming the attacker hasn't used the vulnerability to take control of the one you happen to be using. Since these vulnerabilities are not in a configuration a reputable time server is likely to use (i.e. the NIST servers) the general public is pretty safe.
6. Re:Also affects Linux - patch now! by hawkinspeter · 2014-12-23 06:52 · Score: 2
  
  I believe this is made easier as NTPd sends from port 123 whereas openNTP uses a random port.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
7. Re:Also affects Linux - patch now! by virtual_mps · 2014-12-23 07:10 · Score: 2
  
  Firewalls which do stateful inspection of NTP conversations are exceedingly rare. So if you follow the normal practice and have a "stateful" UDP port open on the firewall to a given external NTP server, it's not possible for the firewall to distinguish between a response packet from the external NTP server and a query packet spoofed to appear to be originating from the external NTP server. That is, a client will be potentially vulnerable to spoofed packets from any IP it uses as a server.
8. Re:Also affects Linux - patch now! by virtual_mps · 2014-12-23 07:11 · Score: 2
  
  Note that most machines running OSX would be vulnerable to spoofed packets from the same IP (the apple NTP server)...
Change log? by DigiShaman · 2014-12-23 04:37 · Score: 2

Is that what that is?! I just saw a pop-up telling me an OS X update applied when I returned to my desk. Curious, I checked the updates and didn't seen anything new installed today. I figured it was some malware clickbait popup that came and went from inactivity on my end.

--
Life is not for the lazy.
1. Re:Change log? by Jayfar · 2014-12-23 12:00 · Score: 2
  
  Same here.
  Popup without ANY indication what was installed or why.
  No mention of anything in AppStore Update history either.
  They do that already for regular security updates.
  Why not for the auto-pushed one ?
  At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.
  I agree. You can find the install info, but not in the App Store where you'd expect to see it.
  About this Mac -> More Info (opens System Info) - under Software, click on Installations, then click on the Install Date header to sort.
Also note by OzPeter · 2014-12-23 04:37 · Score: 4, Informative

They only update back to Mountain Lion.

--
I am Slashdot. Are you Slashdot as well?
Re:Can this be disabled? by carlhaagen · 2014-12-23 04:39 · Score: 5, Informative

Yes, the automatic updating is a controllable setting, and to contrast one detail against Window: In my 9 years of using OS X, it has never done an automatic REBOOT during OS update, no matter if I've had automatic updates enabled or not.
Also by koan · 2014-12-23 04:39 · Score: 3, Informative

You can turn this off in system preferences > app store

--
"If any question why we died, Tell them because our fathers lied."
Put restrict ... noquery in your ntp.conf file by ctime · 2014-12-23 04:41 · Score: 4, Informative

http: //support.ntp.org/bin/view/Main/SecurityNotice Buffer overflow in ctl_putdata() References: Sec 2668 / CVE - 2014 - 9295 / VU #852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation - any of: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. Put restrict ... noquery in your ntp.conf file, for non-trusted senders. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. w
1. Re:Put restrict ... noquery in your ntp.conf file by hawkinspeter · 2014-12-23 04:46 · Score: 3, Interesting
  
  I hadn't spotted the "restrict ... noquery" mitigation (which luckily I already had in place), but wouldn't servers still be susceptible to spoofed packets from one of the trusted servers?
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Re:Can this be disabled? by XxtraLarGe · 2014-12-23 04:48 · Score: 2

How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.

Can this auto-update be turned off or changed to manual?
Yes, but the system is opt-in, not opt-out. I always wait for a few days before updating, just to see if there are any problems reported. This helped me to miss out on some doozies. Thankfully, I saw the report on the latest Microsoft update before running it on my work machine.

--
Taking guns away from the 99% gives the 1% 100% of the power.
Re:Can this be disabled? by smooth+wombat · 2014-12-23 04:54 · Score: 4, Insightful

If you do manual updates you can wait to see if anything is broken before installing them. There is never a need to be the first one to get an update. Let some other poor sucker suffer the slings and arrows of breakage.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Re:Can this be disabled? by Guy+Harris · 2014-12-23 07:26 · Score: 2

t has never done an automatic REBOOT during OS update
Lol.. that just means it replaced the files on disk.
You've been running with the vulnerable libraries/executable loaded in memory until you restarted the OS or whatever program loaded those files.
At least on the machines in our household (Mountain Lion and Mavericks), NTPD was restarted as part of the update process, without an OS reboot.
Not true by jbolden · 2014-12-23 11:28 · Score: 2

I don't have automatic updates installed. I like to decide on the when. It installed and just notified me of the installation. Worked as intended.