Previewed at WWDC, launching in the fall.
Apple Issues Network Time Protocol Security Fix for OS X Users
Apple today released a new security update that’s designed to address a "critical security issue" with the Network Time Protocol service on OS X. Apple recommends that all Yosemite, Mavericks, and Mountain Lion users install the update "as soon as possible."
The update appears to address a problem that was highlighted by the U.S. Government on Friday, December 19 and originally discovered by the Google Security Team. The vulnerability has the potential to allow an attacker to execute arbitrary code using the privileges of the ntpd process.
Update: As noted by Reuters, this update marks the first time Apple has deployed an automatic security update, which can be installed without user authorization.
The update appears to address a problem that was highlighted by the U.S. Government on Friday, December 19 and originally discovered by the Google Security Team. The vulnerability has the potential to allow an attacker to execute arbitrary code using the privileges of the ntpd process.
Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.Apple has faced several vulnerabilities over the course of 2014, most recently releasing an OS X bash update in September to fix the “Shellshock” security flaw. Today’s security update can be downloaded from the Mac App Store.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
Products using NTP service prior to NTP–4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
Update: As noted by Reuters, this update marks the first time Apple has deployed an automatic security update, which can be installed without user authorization.
[ 214 comments ]
Top Rated Comments
(View all)
48 months ago
It's only 1.4MB (late 2013 iMac) so no problems whatsoever! :rolleyes:
1.4? I can install it using my floppy drive.
48 months ago
You have to love the ingenuity / desperation of hackers. Instead of getting a job...
You have to love that in 2014 people still equate hacking to unemployment.
48 months ago
You can install Yosemite on 7-year-old iMacs, hot shot.
Why would I do that? Snow Leopard works, and runs all my software properly. Later OSs add nothing of value to me, and, judging by comments on this board, causes problems that i don't currently have.
48 months ago
Is Snow Leopard impacted?
Yes it is, but apparently Apple no longer cares about the security of their Snow Leopard and Lion customers. You either upgrade your perfectly good software (if you can) or you're on your own.
Well, you could just buy a new Mac, which is what Apple wants you to do anyway.
48 months ago
You can install Yosemite on 7-year-old iMacs, hot shot.
Are you aware that Software Support isn't the same as Hardware Support?
48 months ago
Personally I find it inexcusable that apparently serious security bugs are not being patched in Snow Leopard/Lion. If people are suggesting you can compile it yourself with developer tools
doesn't that just prove Apple is putting some of its less advanced users at risk purely to try and sell them newer computers? I think it's fairly heinous behaviour if so.
As I've said numerous times before, no-one should expect eternal updates in terms of new features etc - that's what new versions of the OS are for, and what should attract users to upgrade. Of course it's unreasonable to expect Apple to develop new features for old OS versions that a few versions old.
However, when bad security vulnerabilities / flaws are discovered that apparently wouldn't take very much effort for Apple to patch, I think it's unconscionable to not provide security patches for machines that are otherwise still perfectly usable today other than having software Apple can't be bothered to support in the very slightest, narrow way. Apart from anything else, we know compromised machines are bad for everyone on the internet.
As I've said numerous times before, no-one should expect eternal updates in terms of new features etc - that's what new versions of the OS are for, and what should attract users to upgrade. Of course it's unreasonable to expect Apple to develop new features for old OS versions that a few versions old.
However, when bad security vulnerabilities / flaws are discovered that apparently wouldn't take very much effort for Apple to patch, I think it's unconscionable to not provide security patches for machines that are otherwise still perfectly usable today other than having software Apple can't be bothered to support in the very slightest, narrow way. Apart from anything else, we know compromised machines are bad for everyone on the internet.
48 months ago
You have to love the ingenuity / desperation of hackers. Instead of getting a job or writing code that would actually be useful and that people would pay for, they sit around figuring out the most obtuse ways to exploit a computer.
When a stupid game like Flappy Birds can make 20K per day, I'm hard pressed to believe that hacking computers and sending out SPAM is more profitable.
When a stupid game like Flappy Birds can make 20K per day, I'm hard pressed to believe that hacking computers and sending out SPAM is more profitable.
48 months ago
Here are the links:
Yosemite:
http://swcdn.apple.com/content/downloads/08/25/zzz031-15311/ka6aog9hkkerhk71sugqqfuzgojq6lwg0s/NTPUpdateYosemite.pkg
Mavericks:
http://swcdn.apple.com/content/downloads/40/01/zzz031-15352/4cvorafegnrim82vcazio5r7p9wienvf8c/NTPUpdateMavericks.pkg
Mountain Lion:
http://swcdn.apple.com/content/downloads/46/35/zzz031-15347/7mq66ox6wzz189b71kg0zyyj7wza9kr140/NTPUpdateMountainLion.pkg
UPDATE:
Apple have now posted them onto their support website:
Yosemite:
http://support.apple.com/kb/DL1782
Mavericks:
http://support.apple.com/kb/DL1783
Mountain Lion:
http://support.apple.com/kb/DL1781
Yosemite:
http://swcdn.apple.com/content/downloads/08/25/zzz031-15311/ka6aog9hkkerhk71sugqqfuzgojq6lwg0s/NTPUpdateYosemite.pkg
Mavericks:
http://swcdn.apple.com/content/downloads/40/01/zzz031-15352/4cvorafegnrim82vcazio5r7p9wienvf8c/NTPUpdateMavericks.pkg
Mountain Lion:
http://swcdn.apple.com/content/downloads/46/35/zzz031-15347/7mq66ox6wzz189b71kg0zyyj7wza9kr140/NTPUpdateMountainLion.pkg
UPDATE:
Apple have now posted them onto their support website:
Yosemite:
http://support.apple.com/kb/DL1782
Mavericks:
http://support.apple.com/kb/DL1783
Mountain Lion:
http://support.apple.com/kb/DL1781
48 months ago
If you can upgrade to Mavericks or Yosemite and choose not to, that's your own problem, regardless of much better you think Snow Leopard might be. If your Mac is unable to upgrade to either of those, then you do indeed have an old machine that you should either replace, use one of the available methods to install Mavericks or Yosemite, or just deal with the vulnerabilities.
Apple is a for-profit corporation, so it shouldn't be a surprise that they won't spend resources on six and seven year old machines. If you want software support decoupled from hardware support, switch to Windows.
It's little things like this that have been showing people like me, who many, many people depend on for their tech recommendations, and who bought into the Apple thing because they were supposed to be so much better than evil Microsoft, that Apple is now only just incredibly better at lying, also known known as Marketing. I keep what I have now, it all works fine, but Apple gets no more money from me. And by word of mouth, their reputation is going to hell.
----------
Fine, it's your choice. Don't upgrade your OS ever again. It's entirely your choice. I guess there are some people still using DOS who don't want to be troubled by bothersome new features such as access to the Internet or PNG graphics. Good luck to them if they're happy with what they've got.
Ah yes, ridicule, great argument technique. Interesting it is the technique both most employed, and most effectively employed by governments and corporations in their various mindshare campaigns when faced with troublesome facts or people.
48 months ago
Snow Leopard is approaching being 6 years old...
Here's another option for you: Turn off automatic time synching on Snow Leopard.
Microsoft supports their software for at least a decade.
With their yearly OS release schedule, Apple abandons software support after three years.
[ Read All Comments ]
MoviePass today announced new restrictions for its ever-changing movie service, with the company now limiting its subscribers to a choice of what appears to be six to seven movies per day.
On...
Microsoft Office appears to be experiencing activation issues on both Mac and PC today, according to several user reports on Twitter. MacRumors also received emails from multiple readers affected.
...
Sony today introduced its new XAV-AX210 receiver, which doubles as an aftermarket CarPlay and Android Auto system.
The XAV-AX210 is an update to Sony's year-old XAV-AX200 receiver, with...
Toyota has confirmed on its website that CarPlay is a standard feature in all 2019 Sienna models sold in the United States. This is the first model year of the Sienna equipped with Apple's in-car...
A Melbourne schoolboy has pleaded guilty to hacking into Apple's secure network after the company notified authorities of the intrusion (via The Age).
The teen, who can't be named for...
Google today launched its new cloud storage pricing scheme under the moniker Google One, which replaces all paid storage plans under the Google Drive brand.
The new plans include 100GB storage...
Calendar subscriptions offer a convenient way for you to stay up to date with everything from national holidays to the match fixtures for your favorite sports team. In this article, we'll show...
Apple recently updated its Maps app to expand the availability of transit directions to several new states.
Transit data is now available in areas of Vermont, New Hampshire, Maine, and Michigan....
