Apple Pushes First Automated OS X Security Update

← Back to Stories (view on slashdot.org)

Apple Pushes First Automated OS X Security Update

Posted by timothy on Tuesday December 23, 2014 @04:28AM from the little-cat-feet dept.

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.

15 of 115 comments (clear)

Min score:

Reason:

Sort:

It should be noted that... by carlhaagen · 2014-12-23 04:34 · Score: 4, Informative

...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
1. Re:It should be noted that... by Anonymous Coward · 2014-12-23 05:21 · Score: 3, Insightful
  
  At least it doesn't just reboot you while playing a game.
  Or when you turn your computer off you have to wait half an hour for all the updates to be installed.
2. Re:It should be noted that... by Noah+Haders · 2014-12-23 06:11 · Score: 4, Informative
  
  Here's how to enable automatic security updates for your http://www.itworld.com/article...
  Here's how you can enable automatic app updates in OS X Mavericks. This will save you the time and trouble of updating apps on OS X Mavericks manually.
  1. Go to Settings.
  2. Go to the App Store.
  3. Click the Automatically Check for Updates check box.
  4. Click the Install App Updates check box.
3. Re:It should be noted that... by suman28 · 2014-12-23 07:05 · Score: 4, Informative
  
  This is NOT true. I manually install updates on my machine because I do not like anything being installed without my knowledge. This morning, I woke up and opened up MBP. Next thing I know, I noticed a Tray Notification informing me that a Security Update has been installed. I only had one option, which was to close the notification. I was mildly irritated by this without a doubt.
4. Re:It should be noted that... by jittles · 2014-12-23 07:58 · Score: 3, Informative
  
  ...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
  You are incorrect. It automatically installed on three different macs that I own, and I never enable automatic update.
5. Re:It should be noted that... by mrsquid0 · 2014-12-23 13:50 · Score: 4, Funny
  
  Not only is OS X secure, it is perfect and is the only door to nirvana.
  
  --
  Just because you are paranoid does not mean that no-one is out to get you.
Also affects Linux - patch now! by hawkinspeter · 2014-12-23 04:36 · Score: 5, Informative

This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.

--
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
1. Re:Also affects Linux - patch now! by sydsavage · 2014-12-23 05:04 · Score: 5, Informative
  
  Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.
2. Re:Also affects Linux - patch now! by Dr.+Evil · 2014-12-23 05:51 · Score: 4, Informative
  
  UDP is stateless.
  Given the list of ntp servers is generally known based on your OS type, and the ephermal port range is somewhat limited, it doesn't take a lot to guess the sourceip:sorceport->destip:destport combination which would allow you to spoof a packet which will traverse your firewall. UDP packets are cheap so you can send a lot of them over time and wait until you observe an indicator of compromise.
  e.g., 1.rhel.pool.ntp.org:123->victim:[32768-61000]
  You can't do this for web browsers because TCP is stateful.
Also note by OzPeter · 2014-12-23 04:37 · Score: 4, Informative

They only update back to Mountain Lion.

--
I am Slashdot. Are you Slashdot as well?
Re:Can this be disabled? by carlhaagen · 2014-12-23 04:39 · Score: 5, Informative

Yes, the automatic updating is a controllable setting, and to contrast one detail against Window: In my 9 years of using OS X, it has never done an automatic REBOOT during OS update, no matter if I've had automatic updates enabled or not.
Also by koan · 2014-12-23 04:39 · Score: 3, Informative

You can turn this off in system preferences > app store

--
"If any question why we died, Tell them because our fathers lied."
Put restrict ... noquery in your ntp.conf file by ctime · 2014-12-23 04:41 · Score: 4, Informative

http: //support.ntp.org/bin/view/Main/SecurityNotice Buffer overflow in ctl_putdata() References: Sec 2668 / CVE - 2014 - 9295 / VU #852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation - any of: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. Put restrict ... noquery in your ntp.conf file, for non-trusted senders. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. w
1. Re:Put restrict ... noquery in your ntp.conf file by hawkinspeter · 2014-12-23 04:46 · Score: 3, Interesting
  
  I hadn't spotted the "restrict ... noquery" mitigation (which luckily I already had in place), but wouldn't servers still be susceptible to spoofed packets from one of the trusted servers?
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Re:Can this be disabled? by smooth+wombat · 2014-12-23 04:54 · Score: 4, Insightful

If you do manual updates you can wait to see if anything is broken before installing them. There is never a need to be the first one to get an update. Let some other poor sucker suffer the slings and arrows of breakage.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower