Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
OS X Security Apple IT

Apple Pushes First Automated OS X Security Update 115

PC Magazine reports (as does Ars Technica) that Apple this week has pushed its first automated security update, to address critical flaws relating to Network Time Protocol: The flaws were revealed last week by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute—the latter of which identified a number of potentially affected vendors, including FreeBSD Project, NTP Project, OmniTI, and Watchguard Technologies, Inc. A number of versions of the NTP Project "allow attackers to overflow several buffers in a way that may allow malicious code to be executed," the Carnegie Mellon/DHS security bulletin said. ... The company's typical security patches come through Apple's regular software update system, and often require users to move through a series of steps before installing. This week's update, however, marks Cupertino's first implementation of its automated system, despite having introduced the function two years ago, Reuters said.
This discussion has been archived. No new comments can be posted.

Apple Pushes First Automated OS X Security Update

Comments Filter:
  • by carlhaagen ( 1021273 ) on Tuesday December 23, 2014 @11:34AM (#48660409)
    ...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.
    • by NMBob ( 772954 )
      One of my four Macs was set to install things automatically, and I still had to respond to the above stuff manually. I don't know if it would have gotten around to it eventually or not.
    • So how long has Mac had this, "enable automatic updates" option, without using it? And why not? I imagine they have critical security updates all the time, why would they not automatically push these where enabled?
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Unlike Linux, there are almost never security updates for OS X, because OS X is secure.

      • First off, it didn't automatically install, it just downloaded a tiny patch that probably takes more traffic to request the download than the download itself. The news around this is BS.

        In order for automatic updates to be installed on their own, you have to enable automatic updates, like every other sane setup on the planet, by default.

    • by suman28 ( 558822 ) <suman28 AT hotmail DOT com> on Tuesday December 23, 2014 @02:05PM (#48661605)
      This is NOT true. I manually install updates on my machine because I do not like anything being installed without my knowledge. This morning, I woke up and opened up MBP. Next thing I know, I noticed a Tray Notification informing me that a Security Update has been installed. I only had one option, which was to close the notification. I was mildly irritated by this without a doubt.
      • I saw the notification yesterday and thought that I had some kind of malware. There's no record of it in the update history either, which would have been helpful.

        I'm still pretty irritated that the update was installed without my knowledge, since I depend on my computer to be stable for my day to day work and can't afford any downtime with a botched update (which has happened before).
    • by jittles ( 1613415 ) on Tuesday December 23, 2014 @02:58PM (#48662123)

      ...while "automatic", it does not install automatically unless you've enabled automatic software updates. If you haven't, it takes the same form regular updates do: a little dialog pops up in the corner of the desktop alerting you about the update, asking what you want to do.

      You are incorrect. It automatically installed on three different macs that I own, and I never enable automatic update.

    • Re: (Score:2, Informative)

      by BasilBrush ( 643681 )

      ...while "automatic", it does not install automatically unless you've enabled automatic software updates.

      Not true. I have not enabled automatic updates, and this update for the first time ever, installed all by itself. I got the notification in the top corner, but it was only to say that the security update had been installed. There was no option.

    • I don't have automatic updates installed. I like to decide on the when. It installed and just notified me of the installation. Worked as intended.

  • by hawkinspeter ( 831501 ) on Tuesday December 23, 2014 @11:36AM (#48660423)
    This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.
    • by Imagix ( 695350 )
      While yes, patch your servers.... but do you really have your NTP port exposed to the world? Ever hear of a firewall?
      • Re: (Score:2, Insightful)

        Really, what's one of those?

        If you close all your NTP ports you're not going to be able to sync with a time source on the internet. Once you allow responses to your NTP queries, then you can be spoofed and compromised.
        • Anyone running a network of any significant size should have their own time servers. Anyone running Active Directory should have their own time servers.

          So, it *is* reasonable to firewall that off in a network of any significant size.

          • Yes, but often the easiest way to set up a time server is to sync with a time server on the internet (e.g. ntp.pool org). As far as I can tell, a big reason for people to use NTP is that they don't have a reliable atomic clock of their own, so they sync with other people who do.
            • by Anonymous Coward

              There are time devices that are GPS based, for this very reason. No need to connect over the Internet, no need for an atomic clock.

              • I'd always thought they were expensive, specialist devices, but it looks like you can get pci express cards for laptops quite cheaply. I'd imagine you'd want to position the aerial outside of a server room though.
              • Exactly. Buy it, pop it on the network, give it a DNS name, and update your GPO or puppet.conf and you're done.

        • by sydsavage ( 453743 ) on Tuesday December 23, 2014 @12:04PM (#48660675)

          Completely wrong. You do not need to open a port to sync with an external time source any more than you need to open a port to browse the web. It is only necessary to open/forward a port if you wish to allow others to sync to you from the external network. But you shouldn't do this unless you have mitigated the potential for using your time server in an amplification attack.

          • Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
            • by Anonymous Coward
              Translation of parent post: "OK, what I said earlier was wrong, but instead of just saying so I'm going to backpedal and try to find some shred of sense in it. Never mind that it requires an attacker to have seized control of the time server so that he could "spoof" a response. And also never mind that that wouldn't be a spoof."
              • Thanks for your translation, it's most helpful. I don't see why you need to seize control of a server to spoof a response as spoofing implies that you're faking the response so it looks like it's come from the respective server.
                • How would they do that? You created the connection to the proper server. They are not connecting to you, so there's no spoofing.
                  • As it's stateless UDP, there's not much of a connection to the proper server. All you need to do is send the appropriate source and destination ports and IP address and you're good. It would involve waiting for an outgoing request and then sending spoofed packets that look like they are a reply. The one with the right ports will be allowed through the firewall as it looks like a reply.
            • Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.

              From the description of the bugs, they are related to a server being queried and not related to the expected response. So, only when running ntpd as an internet-facing daemon do you have a problem. It's also a much more convoluted attack to spoof a response from a time server, assuming the attacker hasn't used the vulnerability to take control of the one you happen to be using. Since these vulnerabilities are not in a configuration a reputable time server is likely to use (i.e. the NIST servers) the gene

              • That's reassuring, but I wonder why Apple have rushed out this update. How many OSX users run a public NTP server?
              • Firewalls which do stateful inspection of NTP conversations are exceedingly rare. So if you follow the normal practice and have a "stateful" UDP port open on the firewall to a given external NTP server, it's not possible for the firewall to distinguish between a response packet from the external NTP server and a query packet spoofed to appear to be originating from the external NTP server. That is, a client will be potentially vulnerable to spoofed packets from any IP it uses as a server.

                • Note that most machines running OSX would be vulnerable to spoofed packets from the same IP (the apple NTP server)...

          • by Dr. Evil ( 3501 ) on Tuesday December 23, 2014 @12:51PM (#48661013)

            UDP is stateless.

            Given the list of ntp servers is generally known based on your OS type, and the ephermal port range is somewhat limited, it doesn't take a lot to guess the sourceip:sorceport->destip:destport combination which would allow you to spoof a packet which will traverse your firewall. UDP packets are cheap so you can send a lot of them over time and wait until you observe an indicator of compromise.

            e.g., 1.rhel.pool.ntp.org:123->victim:[32768-61000]

            You can't do this for web browsers because TCP is stateful.

          • I removed openNTP and installed tlsdate on my systems. I recommend looking into it.

      • ever heard of employees so incompetent with computers exposing servers to them is worse than exposing to internet?

        "we has met the enemy, and they is us" - Pogo

  • by koan ( 80826 )

    What else can they "push"...

    • Apple can't push anything without user opting-in to auto updates. I didn't so received notification of update I had to manually install

      • by koan ( 80826 )

        That involves trusting Apple, I'm not doing that after all the things we have seen over the years.

        • by reikae ( 80981 )

          But in that case you're probably not running OS X anyway, so the automatic updates are a moot point.

          • by koan ( 80826 )

            That's a nonsense point, the question is "Can Apple push whatever they want?" Not "Do I use OS X"
            and the answer is "We don't know, and they can not be trusted"
            This same question can be asked of Google, Microsoft and Linux (Redhat, Ubuntu) as well.

            If you don't think they are complicit with the US (and other nations) security agencies that's your right to believe that.
            IMO The evidence today shows they are, and the only thing they worry about is dependability.

            "they" being Apple/Google/Microsoft complex

            • by reikae ( 80981 )

              Why is it nonsense? I don't think updates require significantly more trust in a vendor than using their operating system in the first place does. If they wanted to push in any way malicious updates, they could have built in a way to bypass the normal update mechanism altogether or hide it in a Trojan horse.

              • by koan ( 80826 )

                they could have built in a way to bypass the normal update mechanism altogether or hide it in a Trojan horse.

                What makes you think they haven't?

                Why do you trust them?

                • by reikae ( 80981 )

                  I suppose I misunderstood your first post I replied to. I thought you meant you wouldn't want to install updates because you don't trust Apple and I was curious why, in that case, would you trust OS X in the first place.

                  I don't use a Mac myself, so let's swap Microsoft in there instead. I think it's not entirely unlikely that they would be able to install updates without prompting me in any way, if it was in their interest. Usefulness of the system outweighs the likelihood of them screwing me over, hence I

            • by koan ( 80826 )

              Dependability should be deniability.

              Interesting there is no correct spelling offered for "deniability" even though it's underlined.

      • Re: (Score:1, Flamebait)

        by BasilBrush ( 643681 )

        Apple can't push anything without user opting-in to auto updates.

        As multiple people are reporting, they can, and are as of this update. Your assumption is wrong.

        • wrong, those are just shit-heads who forgot they answered "yes" when installing. The typical kind of lowlife that consume 95% of an IT department's time

          • by jbolden ( 176878 )

            There are two settings:

            Allow updates automatically
            Install system data files and security updates

            The 2nd is different from the 1st. The 2nd is what this went across as while most updates use the first mechanism.

            • Re: (Score:1, Troll)

              by BasilBrush ( 643681 )

              Yeah. Looks like the second appeared in Mountain Lion, and the default was ticked, even though "Allow updates automatically" wasn't.

              So most people who have had "Allow updates automatically" unchecked for years won't have ever seen the newer option.

              I'm not complaining. But some people will have room to do so.

    • by jbolden ( 176878 )

      Anything they want. Apple is trusted by its customers and uses this mechanism rarely as the lead mentioned. 2 years and this is the first time.

      • by koan ( 80826 )

        Apple is trusted by its customers

        Why? Why would you ever trust a company like Apple, or for that matter Google or Microsoft, why is trust even on the table?

        Because the truth is you simply can not trust these corporations, they have shown that multiple times.

        • by jbolden ( 176878 )

          Why? Why would you ever trust a company like Apple

          History and an alignment of interests. You have to trust somewhere, life is simply too complex to do everything yourself. So you put faith where it is warranted and then verify when easy.

          Because the truth is you simply can not trust these corporations, they have shown that multiple times.

          I don't see that with Apple. I don't trust them not to overcharge me for hardware. I do trust them to mostly have my best interests at heart in using their stuff bec

          • by koan ( 80826 )

            For trust to enter into your relationship with Apple shows how poorly you approach the relationship, that's why there are business contracts, that's why there are warranties, because "trust" should never be an issue that needs discussing, for the simple reason they can not be trusted without their having a sense of "loss of profit".
            Your "dissatisfaction" wouldn't enter into it if they thought they could continue to make money.

            You trust people you know face to face, you do not trust a corporation with a hist

  • How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.

    Can this auto-update be turned off or changed to manual?

    • by carlhaagen ( 1021273 ) on Tuesday December 23, 2014 @11:39AM (#48660457)
      Yes, the automatic updating is a controllable setting, and to contrast one detail against Window: In my 9 years of using OS X, it has never done an automatic REBOOT during OS update, no matter if I've had automatic updates enabled or not.
    • They would fo gotten in trouble either way. Unless you are suggesting that the average user never install any security updates?
    • How many times have we seen people who set their updates to Automatic in a Windows environment get in trouble when an update mangles their system? I know people who say, "I always get every update as soon as they come out" then bitch when an update did something to their system.

      Can this auto-update be turned off or changed to manual?

      Yes, but the system is opt-in, not opt-out [apple.com]. I always wait for a few days before updating, just to see if there are any problems reported. This helped me to miss out on some doozies. Thankfully, I saw the report on the latest Microsoft update [microsoft.com] before running it on my work machine.

    • Though it can be disabled, the folks at Apple seem to have been VERY conservative about which updates they mark as "automatic" - only this one update in two years. All other updates have been released as needing user approval first.

      So by having it on, you are NOT subjecting yourself to the same level of crap as Windows users who automatically install all sorts of random updates every single month. You're only getting the most critical updates, one small update every couple of years.

      I came in to work this m

      • by kybred ( 795293 )

        Had I done that, and had "allow automatic updates" turned off, my machine would have been been vulnerable for two weeks until I came back. I'm glad this one was automatically installed, while al of the other lower-priority updates have always awaited my approval.

        I would imagine that the timing of this is one reason why it was pushed this way. As you point out, a lot of machines would be unattended until after New Year's and would be patched until then.

    • In my time in IT, that's what I've seen. There was an update to the 3com 905 drivers back in the day that BSOD's systems, since then there have been more rigorous driver testing. After that there was the recent Windows 7 update that had a problem on some systems. We didn't see any issues on any of our some 400 Windows 7 systems, but I did verify it was real. MS rolled it back with another automated patch.

      Oh and I suppose XP SP3 though that wasn't automatic, and the only systems it "broke" were ones with Mal

  • by account_deleted ( 4530225 ) on Tuesday December 23, 2014 @11:37AM (#48660443)
    Comment removed based on user account deletion
    • by Anonymous Coward

      Same here.
      Popup without ANY indication what was installed or why.
      No mention of anything in AppStore Update history either.
      They do that already for regular security updates.
      Why not for the auto-pushed one ?
      At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.

      • by Jayfar ( 630313 )

        Same here.
        Popup without ANY indication what was installed or why.
        No mention of anything in AppStore Update history either.
        They do that already for regular security updates.
        Why not for the auto-pushed one ?
        At least I would have expected to see a "Security update automatically installed on December 23. Click here for more info." message.

        I agree. You can find the install info, but not in the App Store where you'd expect to see it.
        About this Mac -> More Info (opens System Info) - under Software, click on Installations, then click on the Install Date header to sort.

    • by rwyoder ( 759998 )

      Is that what that is?! I just saw a pop-up telling me an OS X update applied when I returned to my desk. Curious, I checked the updates and didn't seen anything new installed today. I figured it was some malware clickbait popup that came and went from inactivity on my end.

      Same thing happened to me.
      I have the App Store setting configured to *download*, but *not* install automatically.
      It installed anyway.
      I verified it by checking the version of the ntpd binary.
      And the App Store update tab does *not* show it was installed.

      So I went to another Mac, booted it, and immediately brought up App Store updates.
      It showed the update, and I selected it for installation.
      On that Mac it now *does* show the update is installed.

      This is broken behavior.

      • by rwyoder ( 759998 )

        I just noticed something: While I have "Install OXS X updates" set to off, there is another checkbox for "Install system data files and security updates" which was checked. That must be why it installed automatically. But the fact the App Store updates does not show it installed it still lame.

  • Also note (Score:5, Informative)

    by OzPeter ( 195038 ) on Tuesday December 23, 2014 @11:37AM (#48660445)

    They only update back to Mountain Lion.

  • Also (Score:3, Informative)

    by koan ( 80826 ) on Tuesday December 23, 2014 @11:39AM (#48660459)

    You can turn this off in system preferences > app store

  • by ctime ( 755868 ) on Tuesday December 23, 2014 @11:41AM (#48660469)
    http: //support.ntp.org/bin/view/Main/SecurityNotice Buffer overflow in ctl_putdata() References: Sec 2668 / CVE - 2014 - 9295 / VU #852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation - any of: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. Put restrict ... noquery in your ntp.conf file, for non-trusted senders. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. w
  • The ntpd source should have been re-architected and rewritten years ago.

    .
    The trouble is the the ntp.org project seems to be more concerned about adding every last neat new feature, and less concerned about the quality of the software they push upon the world.

    It's the openssl fiasco all over again.

    • by stox ( 131684 )

      Which is why PHK just released ntimed.

    • yeah openbsd project noticed that a decade ago: http://www.openntpd.org/ [openntpd.org]

    • The NTP people are generally more concerned about accurate & precise network time than about security. If security is your goal (and you're willing to compromise on highly accurate time) you're almost certainly better off with a SNTP solution intended to be simple and secure.

      • Let me fix that typo for you...

        .
        The NTP people are generally more concerned about accurate & precise network time than about code quality or security.

        • You can add a petty subjective clause if you want to, but the point remains--choose the tool that's right for the job you're trying to do.

          And crap code or not, it's probably keeping more accurate time than the NTP server that you wrote. ;-)

          • You can add a petty subjective clause if you want to...

            I don't consider code quality to be a petty thing.

            .
            I have not written a NTP server.

  • a large number of people cant install 10.10.1 as it stops at "about 4 minutes remaining" and just sits there for days. Apple refuses to acknowlege the problem or offer a solution.

    • by Anonymous Coward

      The same thing happened for some people installing 10.10.0. Your network is broke. Fix your router, your AV/firewall software, your proxy server that is caching the incomplete download or go to an Apple Store or a local coffee shop and download from their network; it takes about 20 minutes.

      If nothing else, download the complete standalone installer and update via that:

      http://support.apple.com/kb/DL1779?viewlocale=en_US&locale=en_US

      There are lots and lots of solutions available for people that bother to

    • by antdude ( 79039 )

      It was a major security fix. 10.10.1 is not a security issue.

  • Is my MacBook really running an ntp daemon? Huh, yes it is:

    $ ps ax | grep ntp
    32950 ?? Ss 0:00.26 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift

    How about that. When I first read this, I kinda figured it only applied to OS X server, and that on a normal Mac there would just be a periodic script that updates the clock via ntpdate. But it makes sense to have a daemon running, clock has to be accurate on wake to access network shares and the like.

  • I haven't updated to 10.10 yet, because they demand my credit card information for the "free" update; I refuse to put it into their system, even temporarily.

  • I suppose this thread is as as close as I'll get... Anyone else have high CPU displaying Slashdot on Safari?

    I usually keep /. open all day in a tab, but lately I've occasionally been getting /. tabs burning through all of my CPU on some tabs, according to ActivityMonitor. I assume it has something to do with the new ads, since it's intermittent, but it's been difficult to flag exactly which ad content has been causing this. Just updated to Safari 8.0.2 this morning, and it's still occurring.

    Usually use Sa

  • Vulnerabilities are low, I read that the update is about a component of the OS which relates to network time protocol (NTP), which is used for synchronizing clocks on computer systems...So updates need not matter..

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...