Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Pushes First Automated OS X Security Update

Posted by timothy on from the little-cat-feet dept.

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.

3 of 115 comments (clear)

  1. Also affects Linux - patch now! by hawkinspeter · · Score: 5, Informative

    This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    1. Re:Also affects Linux - patch now! by sydsavage · · Score: 5, Informative

      Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.

  2. Re:Can this be disabled? by carlhaagen · · Score: 5, Informative

    Yes, the automatic updating is a controllable setting, and to contrast one detail against Window: In my 9 years of using OS X, it has never done an automatic REBOOT during OS update, no matter if I've had automatic updates enabled or not.