Apple Issues Network Time Protocol Security Fix for OS X Users

[LV426]

Are you aware that Software Support isn't the same as Hardware Support?

Of course I am. Why do you ask? The original assertion was that Apple abandons software support after three years, which is patently false. Apple provide upgrades to the latest OS version for little or zero cost. Upgrades from versions that are far older than three years.

 

[Dezlboy]

Hi....just curious. My software update went smoothly. But, just to see what would happen I downloaded the update package (from software update server link posted earlier).

That (second) install of software also seemed to go fine, with an "installed successfully". Did I mess up by installing the update twice? Would it really install twice?

I am asking because I might use the package to install update on Mom's computer, just in case her "automatic, but not showing as listed" install didn't install.

Thanks

 

[LV426]

Why would I do that? Snow Leopard works, and runs all my software properly. Later OSs add nothing of value to me, and, judging by comments on this board, causes problems that i don't currently have.

Fine, it's your choice. Don't upgrade your OS ever again. It's entirely your choice. I guess there are some people still using DOS who don't want to be troubled by bothersome new features such as access to the Internet or PNG graphics. Good luck to them if they're happy with what they've got.

 

[DaveN]

I believe that it has to be some sort of degenerate psychosis created by the anonymity of the internet. People have evolved over the last 20 years or so as the internet evolved to take pleasure in the misfortune of others. Its almost like the thrill of hacking a computer and knowing that you have ruined lives without being caught is the thing and the money is just the icing on the cake.

Sad but true. Look at the political discourse on the Internet these days. It is all about dragging the other person down instead of bringing ou the whole.

 

[dempson]

So are Snow Leopard and Lion

1) Not affected
2) No longer supported

?

Affected, but no longer supported.

Checking the versions:

Snow Leopard has ntpd 4.2.4-p4, Lion has ntpd 4.2.6, both of which are affected by the issue.

I haven't investigated if there is a way to protect against the bug being exploited (e.g. Little Snitch completely blocking network access by ntpd might be sufficient), but if you need to stick with those OS X versions, one option is to install developer tools and compile a newer ntpd yourself from the source code.

 

[iolinux333]

If you can upgrade to Mavericks or Yosemite and choose not to, that's your own problem, regardless of much better you think Snow Leopard might be. If your Mac is unable to upgrade to either of those, then you do indeed have an old machine that you should either replace, use one of the available methods to install Mavericks or Yosemite, or just deal with the vulnerabilities.

Apple is a for-profit corporation, so it shouldn't be a surprise that they won't spend resources on six and seven year old machines. If you want software support decoupled from hardware support, switch to Windows.

It's little things like this that have been showing people like me, who many, many people depend on for their tech recommendations, and who bought into the Apple thing because they were supposed to be so much better than evil Microsoft, that Apple is now only just incredibly better at lying, also known known as Marketing. I keep what I have now, it all works fine, but Apple gets no more money from me. And by word of mouth, their reputation is going to hell.

----------

Fine, it's your choice. Don't upgrade your OS ever again. It's entirely your choice. I guess there are some people still using DOS who don't want to be troubled by bothersome new features such as access to the Internet or PNG graphics. Good luck to them if they're happy with what they've got.

Ah yes, ridicule, great argument technique. Interesting it is the technique both most employed, and most effectively employed by governments and corporations in their various mindshare campaigns when faced with troublesome facts or people.

 

[dempson]

Help?! My mom said she also got the "security update automatically installed."
But, when I share her screen there are no updates available, AND, the security update is not listed as updates installed in last 30 days.

How can I tell if it got installed? And do automatic updates not show up as installed? Thanks!

The installation might be listed in System Information's system report under the Installations category. This lists App Store and manual installations. Automatic updates might be done in a way that App Store doesn't recognise so it doesn't list it.

The other way to check is to use Terminal to find the build of ntpd which is installed.

From the security release note:


To verify the ntpd version, type the following command in Terminal:

what /usr/sbin/ntpd

This update includes the following versions:

Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1


The 'what' command doesn't work on Lion and Snow Leopard. On those systems you can use:

ntpd --version

to show the version number of ntpd itself. This is 4.2.6 on Lion (and all later OS X versions), 4.2.4-p4 on Snow Leopard. ntpd versions earlier than 4.2.8 have the problem.

For Mountain Lion and later, Apple appears to have done a patch to their own build of ntpd 4.2.6, rather than using a newer version of ntpd. This means "ntpd --version" on Mountain Lion and later will not tell you whether the patch has been installed, because it will report a version number of 4.2.6 in either case.

----------

Did I mess up by installing the update twice? Would it really install twice?

Installing it twice doesn't hurt anything. It will just install the same files which were already there.

 

[iolinux333]

Pisses me off! I never even got the chance to see the update or approve it. I have everything set to require permission to download or install.

Which also means that Apple, or anyone Apple gives access to your machine, can reach right inside and do whatever they want. Cute.

Wow. Mind Blown. Hmm.

 

[ulyssesric]

The update appears to address a problem that was highlighted by the U.S. Government on Friday, December 19 and originally discovered by the Google Security Team.

Holy crap it's buffer overflow attack!! That's vintage. Reminds me of the first Morris worm in 80s.
Hard to believe we have lived with this bug for so many years, and nobody bothers to check the codes until now.

 

[MarcusCarpenter]

Help?! My mom said she also got the "security update automatically installed."
But, when I share her screen there are no updates available, AND, the security update is not listed as updates installed in last 30 days.

How can I tell if it got installed? And do automatic updates not show up as installed? Thanks!

Users can verify their ntpd version by opening Terminal and typing what /usr/sbin/ntpd. With the update installed, users should see the following versions:

Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1

[edit]didnt see post above, sorry[/edit]

 

[dfs]

Wow

This is the first time I can remember Apple issuing a self-intalling security update. Well okay, if Cupertino thinks it's so all-fire urgent. But I hope they don't get in the habit of pushing updates and upgrades in this way. In many cases, individual users should have the right of refusal.

 

[johnnyrebel]

I saw this too and was surprised by the auto-install, but zorinlynx explained here:
https://forums.macrumors.com/posts/20516495/
that you can switch off this auto-installing in System Preferences (under the App Store icon).
Initially (for a second or two) I was irked to see this installation but arguably it’s a little churlish to become irritated that you’re being safeguarded by the company whose products you use...

 

[R3k]

I despise people who don't apply security updates.

ProTip: Fixing malware-riddled computers is rather lucrative work, and doesn't require Adobe CS 6.

So you lucratively despise people for a living?

 

[Dezlboy]

T...The other way to check is to use Terminal to find the build of ntpd which is installed...

Dempson and MarcusCarpenter: Thank you so much for your assistance! Very much appreciated.

May I ask another question? I used the install pkg at the link provided at 5:17 by TYWEBB13. Can you confirm this is a legitimate site, thus an authentic file/package?

I checked the fingerprint of the package I downloaded, and it did not match the fingerprint in this Apple article at http://support.apple.com/en-us/HT202369 .

But, the fingerprint of the package I downloaded did match the fingerprint of the package for the "Digital Camera RAW Compatibility 6.02" package that came out Dec 15th. So, I think that the package I used was legit. Make sense?

 

[lhammer610]

Yes.

On Snow Leopard you have two options:


2. Install Xcode if you haven't already, and use brew, macports or compile the fixed ntp direct from source code to update it.

If only I had a clue what you are suggesting.....

I am sticking with Snow Leopard because of legacy PowerPC programs that I either cannot replace or choose not to spend money to upgrade to do the same things they do now.

I wish I knew what why level of risk is.

 

[dolphin842]

Any confirmation that disabling "Set date and time automatically" will avoid exposure to the vulnerability on Lion and earlier? It seems that disabling the setting quits the ntpd process.

But, the fingerprint of the package I downloaded did match the fingerprint of the package for the "Digital Camera RAW Compatibility 6.02" package that came out Dec 15th. So, I think that the package I used was legit. Make sense?

The best way to confirm authenticity is to make sure the installer window has a lock icon in the top right that, when clicked on, shows a valid Apple certificate. Most of Apple's downloads are via unencrypted HTTP connections, so the code-signing certificate in the installer is the most reliable way to confirm authenticity.

 

[OLDCODGER]

Fine, it's your choice. Don't upgrade your OS ever again. It's entirely your choice. I guess there are some people still using DOS who don't want to be troubled by bothersome new features such as access to the Internet or PNG graphics. Good luck to them if they're happy with what they've got.

What's NPG graphics?

 

[s15119]

It's little things like this that have been showing people like me, who many, many people depend on for their tech recommendations, and who bought into the Apple thing because they were supposed to be so much better than evil Microsoft, that Apple is now only just incredibly better at lying, also known known as Marketing. I keep what I have now, it all works fine, but Apple gets no more money from me. And by word of mouth, their reputation is going to hell..

Yup, they will have to burn all that money for heat.

 

[Tubamajuba]

It's little things like this that have been showing people like me, who many, many people depend on for their tech recommendations, and who bought into the Apple thing because they were supposed to be so much better than evil Microsoft, that Apple is now only just incredibly better at lying, also known known as Marketing. I keep what I have now, it all works fine, but Apple gets no more money from me. And by word of mouth, their reputation is going to hell.

First of all, I commend you for putting your money where your mouth is. More than anything said on an internet forum, voting with your wallet is the best way to tell companies how you feel.

Regarding the marketing thing, when has Apple actually lied as opposed to simply not living up to the expectation that you have placed on them given your interpretation of their marketing campaigns? Most Apple ads as of late don't even have many words, they just show people enjoying their products.

For example, if you interpret "It just works" to mean that every Apple product ever made will always work perfectly, then of course Apple lied. But no sane person would interpret that statement in such away. For that matter, nobody should ever make decisions based on marketing alone. I have never purchased an Apple product without seeing it in person and using it first. Separating marketing from reality is a basic skill that all able-minded people should possess, and no company should be held accountable for someone's lack of that skill- unless the company flat out lies. Again, I don't think that Apple has flat out lied in a very long time.

(To be clear, I am not trying to insinuate that you lack the ability to separate marketing from reality. I've seen your posts around here many times and know that you are intelligent. But I certainly know that a large segment of the public lacks the ability to do so, and it's quite alarming.)

Furthermore, Microsoft was indeed evil in comparison to Apple- ten to fifteen years ago. Today's Microsoft is a much more pleasant and nimble corporation that works with the market rather than against it. I sure hope people aren't stuck in the late 90's mentality that drove a wedge in between Mac and Windows users.

TL;DR- Take all marketing with a grain of salt, buy the product that works for you- Apple or otherwise.

 

[ctone]

Two of my Macs running 10.8.5 could not find this update using Software Update / App Store. They are set to not install any updates automatically. Another Mac running 10.8.5 notified me of the update and I installed it.

I tried to find the updates on Apple's site and couldn't. The Apple support site is a complete mess and nearly impossible to find anything, particularly downloads. It used to be great when there was a clear "downloads" link and a list of all downloads starting with the newest. Now it is hidden and everything is just icons. I eventually found one, but it is only the Yosemite update.

I saw the links earlier in this thread, but would obviously prefer to get it directly on Apple's site, or even better, through software update.

 

[scaredpoet]

So you lucratively despise people for a living?

I educate them, courteously, for a fee. If they refuse to be educated, then I despise them. That part's free.

 

[coolfactor]

Done.

Thanks for the heads up, MR

Yosemite simply announced that the update had been installed. I didn't even have to lift a finger, literally.

----------

It's little things like this that have been showing people like me, who many, many people depend on for their tech recommendations, and who bought into the Apple thing because they were supposed to be so much better than evil Microsoft, that Apple is now only just incredibly better at lying, also known known as Marketing. I keep what I have now, it all works fine, but Apple gets no more money from me. And by word of mouth, their reputation is going to hell.

People that claim that Apple is failing where they once excelled fail to realize that technology is getting ever increasingly complex. It is 100x more complex these days then it was 10 years ago. So many more factors to balance across. Applications are far more sophisticated. Devices are so much more capable. I think Apple is doing a stand-up job of adhering to their top-of-the-class principles and aiming to deliver a seamless, enjoyable experience. Sure, it's unfortunate when they don't execute with 100% perfection, like we all expect, but you need to admit that their products are still far outclassing the competition from end-to-end (note: not every single detail, but end-to-end overall).

 

[tywebb13]

Two of my Macs running 10.8.5 could not find this update using Software Update / App Store. They are set to not install any updates automatically. Another Mac running 10.8.5 notified me of the update and I installed it.

I tried to find the updates on Apple's site and couldn't. The Apple support site is a complete mess and nearly impossible to find anything, particularly downloads. It used to be great when there was a clear "downloads" link and a list of all downloads starting with the newest. Now it is hidden and everything is just icons. I eventually found one, but it is only the Yosemite update.

I saw the links earlier in this thread, but would obviously prefer to get it directly on Apple's site, or even better, through software update.

You do realise that the file you are after - and which was installed on one of your computers - came from http://swcdn.apple.com/content/down...71kg0zyyj7wza9kr140/NTPUpdateMountainLion.pkg ?

That's what the mac app store is supposed to get for mountain lion, but if that fails you can just use the direct link instead.

UPDATE:

Apple have now also posted it onto their support website at http://support.apple.com/kb/DL1781

 

[scaredpoet]

If only I had a clue what you are suggesting.....

I am sticking with Snow Leopard because of legacy PowerPC programs that I either cannot replace or choose not to spend money to upgrade to do the same things they do now.

I wish I knew what why level of risk is.

Then let me be blunt: the level of risk is high, and will grow higher with every new security threat. You are are already vulnerable to shellshock. With the NTP bug, that makes two high profile security vulnerabilities that you're not patching. It will only grow.

Sitting around, putting your fingers in your ears and saying "I don't know from these newfangled bugs!" and hoping nothing happens to your system isn't going to make the problem go away. If you insist on keeping Snow Leopard on your computer, then you need to learn how to use Brew or Macports to figure out how to compile and patch new versions of the low-level packages that run on your computer. That's the price you pay for wanting to run old software on the public Internet.

If that's not something you want to do, then you have other options:

1. Buy and learn VMware Fusion and install Snow Leopard in an isolated container, and run your old software in there while upgrading your main OS.

2. Upgrade and say goodbye to that old software, or

3. Buy an old, beat up Mac and disconnect it from the internet and run your old software that way. Or buy a new Mac with the current OS and use that for your internet usage.

Or you can continue to be willfully ignorant about security threats, in which case, good luck bro. You're gonna need it.

 

[dempson]

Dempson and MarcusCarpenter: Thank you so much for your assistance! Very much appreciated.

May I ask another question? I used the install pkg at the link provided at 5:17 by TYWEBB13. Can you confirm this is a legitimate site, thus an authentic file/package?

The links supplied by tywebb13 are the direct download links from Apple's software content distribution network. The URL starts with "http://swcdn.apple.com/", indicating it is a domain name owned by Apple. swcdn.apple.com is the site (actually a distributed network of sites) that Software Update uses to fetch updates, once the update is detected and identified as being needed for the computer.

I checked the fingerprint of the package I downloaded, and it did not match the fingerprint in this Apple article at http://support.apple.com/en-us/HT202369 .

But, the fingerprint of the package I downloaded did match the fingerprint of the package for the "Digital Camera RAW Compatibility 6.02" package that came out Dec 15th. So, I think that the package I used was legit. Make sense?

I think that Apple support article has some details wrong. I see the same SHA1 fingerprint on that certificate for every installer package I've downloaded from Apple, including some as far back as mid 2012, but it doesn't match either of the ones mentioned in that article (it starts with 1E 34 E3). The key point is the initial display without revealing details, which has a green tick saying the certificate is valid, and the fact that the certificate was issued by "Apple Software Update Certificate Authority", which is based on "Apple Root CA".