Apple Pushes First Automated OS X Security Update 115
PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol:
The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc.
A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.
It should be noted that... (Score:5, Informative)
Re: (Score:1)
Re:It should be noted that... (Score:5, Informative)
Here's how to enable automatic security updates for your http://www.itworld.com/article... [itworld.com]
Here's how you can enable automatic app updates in OS X Mavericks. This will save you the time and trouble of updating apps on OS X Mavericks manually.
1. Go to Settings.
2. Go to the App Store.
3. Click the Automatically Check for Updates check box.
4. Click the Install App Updates check box.
Re: (Score:3)
Re: (Score:2, Funny)
Unlike Linux, there are almost never security updates for OS X, because OS X is secure.
Re:It should be noted that... (Score:5, Funny)
Not only is OS X secure, it is perfect and is the only door to nirvana.
Re: (Score:3)
First off, it didn't automatically install, it just downloaded a tiny patch that probably takes more traffic to request the download than the download itself. The news around this is BS.
In order for automatic updates to be installed on their own, you have to enable automatic updates, like every other sane setup on the planet, by default.
Re: (Score:2)
What you assume is incorrect. Automatic updates are not enabled on my Mac, and this update was the first ever that installed all by itself, merely notifying me after it had done so.
It installed automatically on my Mavericks machine with a notification afterwards. The option I have checked that allowed it is: System Preferences -> App Store -> and checkbox "Install system data files and security updates"
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Insightful)
At least it doesn't just reboot you while playing a game.
Or when you turn your computer off you have to wait half an hour for all the updates to be installed.
Re:It should be noted that... (Score:5, Informative)
Re: (Score:2)
I'm still pretty irritated that the update was installed without my knowledge, since I depend on my computer to be stable for my day to day work and can't afford any downtime with a botched update (which has happened before).
Re:It should be noted that... (Score:4, Informative)
...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
You are incorrect. It automatically installed on three different macs that I own, and I never enable automatic update.
Re: (Score:2, Informative)
...while "automatic", it does not install automatically unless you've enabled automatic software updates.
Not true. I have not enabled automatic updates, and this update for the first time ever, installed all by itself. I got the notification in the top corner, but it was only to say that the security update had been installed. There was no option.
Not true (Score:3)
I don't have automatic updates installed. I like to decide on the when. It installed and just notified me of the installation. Worked as intended.
Also affects Linux - patch now! (Score:5, Informative)
Re: (Score:2)
Re: (Score:2, Insightful)
If you close all your NTP ports you're not going to be able to sync with a time source on the internet. Once you allow responses to your NTP queries, then you can be spoofed and compromised.
Re: (Score:3)
Anyone running a network of any significant size should have their own time servers. Anyone running Active Directory should have their own time servers.
So, it *is* reasonable to firewall that off in a network of any significant size.
Re: (Score:3)
Re: (Score:1)
There are time devices that are GPS based, for this very reason. No need to connect over the Internet, no need for an atomic clock.
Re: (Score:2)
Re: (Score:2)
Exactly. Buy it, pop it on the network, give it a DNS name, and update your GPO or puppet.conf and you're done.
Re:Also affects Linux - patch now! (Score:5, Informative)
Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
From the description of the bugs, they are related to a server being queried and not related to the expected response. So, only when running ntpd as an internet-facing daemon do you have a problem. It's also a much more convoluted attack to spoof a response from a time server, assuming the attacker hasn't used the vulnerability to take control of the one you happen to be using. Since these vulnerabilities are not in a configuration a reputable time server is likely to use (i.e. the NIST servers) the gene
Re: (Score:2)
Re: (Score:3)
Firewalls which do stateful inspection of NTP conversations are exceedingly rare. So if you follow the normal practice and have a "stateful" UDP port open on the firewall to a given external NTP server, it's not possible for the firewall to distinguish between a response packet from the external NTP server and a query packet spoofed to appear to be originating from the external NTP server. That is, a client will be potentially vulnerable to spoofed packets from any IP it uses as a server.
Re: (Score:3)
Note that most machines running OSX would be vulnerable to spoofed packets from the same IP (the apple NTP server)...
Re:Also affects Linux - patch now! (Score:5, Informative)
UDP is stateless.
Given the list of ntp servers is generally known based on your OS type, and the ephermal port range is somewhat limited, it doesn't take a lot to guess the sourceip:sorceport->destip:destport combination which would allow you to spoof a packet which will traverse your firewall. UDP packets are cheap so you can send a lot of them over time and wait until you observe an indicator of compromise.
e.g., 1.rhel.pool.ntp.org:123->victim:[32768-61000]
You can't do this for web browsers because TCP is stateful.
Re: (Score:3)
Re: Also affects Linux - patch now! (Score:2)
I removed openNTP and installed tlsdate on my systems. I recommend looking into it.
Re: (Score:2)
ever heard of employees so incompetent with computers exposing servers to them is worse than exposing to internet?
"we has met the enemy, and they is us" - Pogo
FFS (Score:1)
What else can they "push"...
Re: (Score:2)
Apple can't push anything without user opting-in to auto updates. I didn't so received notification of update I had to manually install
Re: (Score:1)
That involves trusting Apple, I'm not doing that after all the things we have seen over the years.
Re: (Score:2)
But in that case you're probably not running OS X anyway, so the automatic updates are a moot point.
Re: (Score:1)
That's a nonsense point, the question is "Can Apple push whatever they want?" Not "Do I use OS X"
and the answer is "We don't know, and they can not be trusted"
This same question can be asked of Google, Microsoft and Linux (Redhat, Ubuntu) as well.
If you don't think they are complicit with the US (and other nations) security agencies that's your right to believe that.
IMO The evidence today shows they are, and the only thing they worry about is dependability.
"they" being Apple/Google/Microsoft complex
Re: (Score:2)
Why is it nonsense? I don't think updates require significantly more trust in a vendor than using their operating system in the first place does. If they wanted to push in any way malicious updates, they could have built in a way to bypass the normal update mechanism altogether or hide it in a Trojan horse.
Re: (Score:1)
they could have built in a way to bypass the normal update mechanism altogether or hide it in a Trojan horse.
What makes you think they haven't?
Why do you trust them?
Re: (Score:2)
I suppose I misunderstood your first post I replied to. I thought you meant you wouldn't want to install updates because you don't trust Apple and I was curious why, in that case, would you trust OS X in the first place.
I don't use a Mac myself, so let's swap Microsoft in there instead. I think it's not entirely unlikely that they would be able to install updates without prompting me in any way, if it was in their interest. Usefulness of the system outweighs the likelihood of them screwing me over, hence I
Re: (Score:1)
Dependability should be deniability.
Interesting there is no correct spelling offered for "deniability" even though it's underlined.
Re: (Score:1, Flamebait)
Apple can't push anything without user opting-in to auto updates.
As multiple people are reporting, they can, and are as of this update. Your assumption is wrong.
Re: (Score:2)
wrong, those are just shit-heads who forgot they answered "yes" when installing. The typical kind of lowlife that consume 95% of an IT department's time
Re: (Score:2)
There are two settings:
Allow updates automatically
Install system data files and security updates
The 2nd is different from the 1st. The 2nd is what this went across as while most updates use the first mechanism.
Re: (Score:1, Troll)
Yeah. Looks like the second appeared in Mountain Lion, and the default was ticked, even though "Allow updates automatically" wasn't.
So most people who have had "Allow updates automatically" unchecked for years won't have ever seen the newer option.
I'm not complaining. But some people will have room to do so.
Re: (Score:2)
Anything they want. Apple is trusted by its customers and uses this mechanism rarely as the lead mentioned. 2 years and this is the first time.
Re: (Score:1)
Apple is trusted by its customers
Why? Why would you ever trust a company like Apple, or for that matter Google or Microsoft, why is trust even on the table?
Because the truth is you simply can not trust these corporations, they have shown that multiple times.
Re: (Score:2)
History and an alignment of interests. You have to trust somewhere, life is simply too complex to do everything yourself. So you put faith where it is warranted and then verify when easy.
I don't see that with Apple. I don't trust them not to overcharge me for hardware. I do trust them to mostly have my best interests at heart in using their stuff bec
Re: (Score:1)
For trust to enter into your relationship with Apple shows how poorly you approach the relationship, that's why there are business contracts, that's why there are warranties, because "trust" should never be an issue that needs discussing, for the simple reason they can not be trusted without their having a sense of "loss of profit".
Your "dissatisfaction" wouldn't enter into it if they thought they could continue to make money.
You trust people you know face to face, you do not trust a corporation with a hist
Can this be disabled? (Score:2)
How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.
Can this auto-update be turned off or changed to manual?
Re:Can this be disabled? (Score:5, Informative)
Re: (Score:3)
t has never done an automatic REBOOT during OS update
Lol.. that just means it replaced the files on disk.
You've been running with the vulnerable libraries/executable loaded in memory until you restarted the OS or whatever program loaded those files.
At least on the machines in our household (Mountain Lion and Mavericks), NTPD was restarted as part of the update process, without an OS reboot.
Re: (Score:2)
It is infinitely preferable to the Windows way of doing things, where the update process can basically say (using the default settings) 'Fuck you and your open documents, we're going to reboot NOW'. The mind boggles at the level of disrespect that shows.
Can things be improved? Probably. But until they are, I prefer the OS that lets me reboot on MY schedule.
Re: (Score:2)
Re:Can this be disabled? (Score:5, Insightful)
If you do manual updates you can wait to see if anything is broken before installing them. There is never a need to be the first one to get an update. Let some other poor sucker suffer the slings and arrows of breakage.
Re: (Score:3)
How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.
Can this auto-update be turned off or changed to manual?
Yes, but the system is opt-in, not opt-out [apple.com]. I always wait for a few days before updating, just to see if there are any problems reported. This helped me to miss out on some doozies. Thankfully, I saw the report on the latest Microsoft update [microsoft.com] before running it on my work machine.
Yes, but one every two years. Christmas vacation (Score:1)
Though it can be disabled, the folks at Apple seem to have been VERY conservative about which updates they mark as "automatic" - only this one update in two years. All other updates have been released as needing user approval first.
So by having it on, you are NOT subjecting yourself to the same level of crap as Windows users who automatically install all sorts of random updates every single month. You're only getting the most critical updates, one small update every couple of years.
I came in to work this m
Re: (Score:2)
Had I done that, and had "allow automatic updates" turned off, my machine would have been been vulnerable for two weeks until I came back. I'm glad this one was automatically installed, while al of the other lower-priority updates have always awaited my approval.
I would imagine that the timing of this is one reason why it was pushed this way. As you point out, a lot of machines would be unattended until after New Year's and would be patched until then.
Ummmm... About twice in 16 years (Score:2)
In my time in IT, that's what I've seen. There was an update to the 3com 905 drivers back in the day that BSOD's systems, since then there have been more rigorous driver testing. After that there was the recent Windows 7 update that had a problem on some systems. We didn't see any issues on any of our some 400 Windows 7 systems, but I did verify it was real. MS rolled it back with another automated patch.
Oh and I suppose XP SP3 though that wasn't automatic, and the only systems it "broke" were ones with Mal
Comment removed (Score:3)
Re: (Score:1)
Same here.
Popup without ANY indication what was installed or why.
No mention of anything in AppStore Update history either.
They do that already for regular security updates.
Why not for the auto-pushed one ?
At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.
Re: (Score:3)
Same here.
Popup without ANY indication what was installed or why.
No mention of anything in AppStore Update history either.
They do that already for regular security updates.
Why not for the auto-pushed one ?
At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.
I agree. You can find the install info, but not in the App Store where you'd expect to see it.
About this Mac -> More Info (opens System Info) - under Software, click on Installations, then click on the Install Date header to sort.
Re: (Score:2)
Is that what that is?! I just saw a pop-up telling me an OS X update applied when I returned to my desk. Curious, I checked the updates and didn't seen anything new installed today. I figured it was some malware clickbait popup that came and went from inactivity on my end.
Same thing happened to me.
I have the App Store setting configured to *download*, but *not* install automatically.
It installed anyway.
I verified it by checking the version of the ntpd binary.
And the App Store update tab does *not* show it was installed.
So I went to another Mac, booted it, and immediately brought up App Store updates.
It showed the update, and I selected it for installation.
On that Mac it now *does* show the update is installed.
This is broken behavior.
Re: (Score:2)
I just noticed something: While I have "Install OXS X updates" set to off, there is another checkbox for "Install system data files and security updates" which was checked. That must be why it installed automatically. But the fact the App Store updates does not show it installed it still lame.
Also note (Score:5, Informative)
They only update back to Mountain Lion.
Re: (Score:2)
Re: (Score:2)
You will have to patch your system manually. [macissues.com]
Re: (Score:2)
Re: (Score:2)
They only update back to Mountain Lion.
True. You can nevertheless patch older versions of OS X manually. [macissues.com]
Also (Score:3, Informative)
You can turn this off in system preferences > app store
Put restrict ... noquery in your ntp.conf file (Score:5, Informative)
Re:Put restrict ... noquery in your ntp.conf file (Score:4, Interesting)
NTPd is a mess that needs to be replaced (Score:2, Interesting)
.
The trouble is the the ntp.org project seems to be more concerned about adding every last neat new feature, and less concerned about the quality of the software they push upon the world.
It's the openssl fiasco all over again.
Re: (Score:2)
Which is why PHK just released ntimed.
Re: (Score:2)
yeah openbsd project noticed that a decade ago: http://www.openntpd.org/ [openntpd.org]
Re: (Score:1)
no newer release because it is mature software
If you want the latest version, that's inside openbsd, why not use an OS in your product that has emphasis on robustness, security and correctness (to specs and in algorithms used) ?
Re: (Score:2)
The NTP people are generally more concerned about accurate & precise network time than about security. If security is your goal (and you're willing to compromise on highly accurate time) you're almost certainly better off with a SNTP solution intended to be simple and secure.
Re: (Score:2)
.
The NTP people are generally more concerned about accurate & precise network time than about code quality or security.
Re: (Score:2)
You can add a petty subjective clause if you want to, but the point remains--choose the tool that's right for the job you're trying to do.
And crap code or not, it's probably keeping more accurate time than the NTP server that you wrote. ;-)
Re: (Score:2)
You can add a petty subjective clause if you want to...
I don't consider code quality to be a petty thing.
.
I have not written a NTP server.
How about they fix 10.10.1 first? (Score:1)
a large number of people cant install 10.10.1 as it stops at "about 4 minutes remaining" and just sits there for days. Apple refuses to acknowlege the problem or offer a solution.
Re: (Score:1)
The same thing happened for some people installing 10.10.0. Your network is broke. Fix your router, your AV/firewall software, your proxy server that is caching the incomplete download or go to an Apple Store or a local coffee shop and download from their network; it takes about 20 minutes.
If nothing else, download the complete standalone installer and update via that:
http://support.apple.com/kb/DL1779?viewlocale=en_US&locale=en_US
There are lots and lots of solutions available for people that bother to
Re: (Score:2)
It was a major security fix. 10.10.1 is not a security issue.
OS X Server? Nope (Score:2)
Is my MacBook really running an ntp daemon? Huh, yes it is:
$ ps ax | grep ntp /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
32950 ?? Ss 0:00.26
How about that. When I first read this, I kinda figured it only applied to OS X server, and that on a normal Mac there would just be a periodic script that updates the clock via ntpdate. But it makes sense to have a daemon running, clock has to be accurate on wake to access network shares and the like.
credit card (Score:1)
I haven't updated to 10.10 yet, because they demand my credit card information for the "free" update; I refuse to put it into their system, even temporarily.
Safari 8.0.2 and Slashdot (Score:2)
I suppose this thread is as as close as I'll get... Anyone else have high CPU displaying Slashdot on Safari?
I usually keep /. open all day in a tab, but lately I've occasionally been getting /. tabs burning through all of my CPU on some tabs, according to ActivityMonitor. I assume it has something to do with the new ads, since it's intermittent, but it's been difficult to flag exactly which ad content has been causing this. Just updated to Safari 8.0.2 this morning, and it's still occurring.
Usually use Sa
Re: (Score:2)
BTW, I just checked my Safari Power Saver settings, so it's not that...
http://mac-fusion.com/manage-t... [mac-fusion.com]
(I only have plugins enabled on Youtube and SpeedTest.net)
Apple Pushes First Automated OS X Security Update (Score:1)