Apple Issues Network Time Protocol Security Fix for OS X Users

[IGregory]

I came here to see if the update was legit. The update icon and text did not look like an Apple update. I was concerned Apple's update site had hacked.

Update: Just completed the download and now the update has the OS X icon where before the update the icon was the generic padlock.

 

[HyperZboy]

You can install Yosemite on 7-year-old iMacs, hot shot.

Yeah, and 75% of them won't support any of the new features and you'll be left with tons of bugs. As a developer account, I filed 4 this week alone still not fixed that a person using Mavericks or below would not have.

So your point again? HAHA!

----------

Microsoft supports their software for at least a decade.

With their yearly OS release schedule, Apple abandons software support after three years.

Think again. Even Mac Pros sold within the last TWO YEARS don't even support some of the Yosemite features! That's just not acceptable.

 

[OLDCODGER]

Best of luck with that. I've used Ubuntu, it's a great OS, runs my web servers quite well. Just understand Ubuntu's standard support cycles: 6 months for mainstream updates, and 18 months for standard versions (yes, including security updates). The LTS cycles are 18 months mainstream and five years for security, of which 8 months of the most recent LTS has already gone by (leaving you 4 years, 4 months to go on security, and just 10 months to go on mainstream). The LTS security updates are about the same as the historical support cycles for OS X versions, and the mainstream support cycles are way, way less.

And all of those past, unsupported installations all have the same NTP bug that's got you riled up on the Mac today. The situation is no different there. Arguably even a bit "worse," assuming you like running outdated software. The answer to that is the same as on the Mac: Update your OS.

EDIT: My bad... starting with the last version, Ubuntu reduced the non-LTS lifecycle to 9 months, from 18. Including security updates.

Thank you for the bug info. I appreciate it.

As for updating Ubuntu, that isn't a problem, due to my only needing it for web surfing - with the latest version of Firefox.

You see, software is the real problem with Apple OS updates - they may become obsolete, purely because Apple changed a file structure or something. Heck, I had enough of a problem in transferring my AppleWorks files over to Bean, so I see no reason for yet another change - which may well involve having to buy new software.

And the thought of losing access to my precious Power PC apps doesn't bear thinking about. Well, that and Sheepshaver, of course.

 

[Windlasher]

I have been involved with several network security profiles. Getting "in the head" of the people that write these pieces of malware. Typically, they are very strong talents that come from socially or economically suppressed backgrounds. If they were in an more open job market, most would code something much more productive.

I don't get that either. Maybe I'm just too old. I still believe in the "Build a better mousetrap" era.

----------

Are you actually out of your mind?
Penetration-testing, application/network-security etc. is a multi-billion dollar industry.
You know, because companies want to find critical bugs before blackhats do.
Kids these days...

Know your facts.

Kids? Im willing to put $50 on the line to the charity of your choice that I am older than you. (You of course have to match it if I win.)

Penetration testing is a great business. Viruses are NOT so why try to put words in my mouth. You know what I was talking about.

White Hats may have discovered it. There is a patch to prevent those who would exploit it from doing so.

This is why we have videos of UPS drivers stealing FED-EX packages and little suburban soccer moms driving from house to house stealing packages off porches. You might as well have said, "Locksmithing is a multi-billion dollar business." DUH!

----------

While I agree about "hackers," I'm just pointing out that actually a lot of these hackers do have jobs. You know their are companies/people who get paid just to try to hack into systems and figure out security flaws, right? So some of these "hackers" you're talking about actually do have jobs. Their job is just to do what they like to do.

TO WHOM IT MAY CONCERN.

I SINCERELY APOLOGIZE FOR USING THE PHRASE HACKERS.

What I meant to say was "People who find pleasure in exploiting the technical ignorance of others for financial gain who would use an exploit such as this to invade personal property and take advantage of those who might not have all day to read every tech block in the world and apply appropriate security measures."

IS THAT BETTER?

 

[allanfries]

This update auto downloaded and installed on my MBp, leaving a notification that all has been done. Gotta love it!

 

[Windlasher]

Yeah, and 75% of them won't support any of the new features and you'll be left with tons of bugs. As a developer account, I filed 4 this week alone still not fixed that a person using Mavericks or below would not have.

So your point again? HAHA!

----------



Think again. Even Mac Pros sold within the last TWO YEARS don't even support some of the Yosemite features! That's just not acceptable.

YEP: Im running Yosemite on a 2008 Mac Pro. It runs awesome, but doesn't support handoff. Oh, well!

 

[LV426]

Yeah, and 75% of them won't support any of the new features and you'll be left with tons of bugs. As a developer account, I filed 4 this week alone still not fixed that a person using Mavericks or below would not have.

So your point again? HAHA!

----------



Think again. Even Mac Pros sold within the last TWO YEARS don't even support some of the Yosemite features! That's just not acceptable.

There are tons of bugs in any OS you choose under the sun. Any of them. But you can be sure that OS vendors will always be putting most effort into addressing the latest version.

Guess what? New devices get new capabilities. My iPhone 5s can't do Apple Pay. Is that also not acceptable in your cosy world?

Since you enjoy a bit of laughter, I'll join along and have a giggle at your everlasting love for outdated code.

 

[Robert.Walter]

Is Snow Leopard impacted?

By this maybe. By everything else over the last year(s) likely.

 

[dempson]

I installed OS X NTP Security Update 1.0 from the app store, Updates section. All that seems to have happened is time stamp updates to

/usr/sbin/ntpd
and
/private/etc/ntp-restrict.conf

Neither file has changed byte wise, although diff does report ntp differs, but no diff in ntp-restrict.conf

Comparing before and after 10.8.5 systems with reference to the list of files from the installer package, I see the following files have content changes:

/usr/bin/ntp-keygen
/usr/bin/ntpq
/usr/bin/sntp
/usr/sbin/ntpd
/usr/sbin/ntpdate
/usr/sbin/ntpdc

All of them are exactly the same length in bytes as before, but there are scattered changes inside each file, including changed bytes, inserted/deleted/moved blocks, and the identifier strings referenced by 'what' have ".1" appended to them.

They have clearly been rebuilt but without knowing more about the object format I can't say how the lengths happen to be exactly the same.

I expect that Apple has applied a patch to the branched version of ntpd they were already using, rather than updating ntpd to a later trunk version. All should become clear once opensource.apple.com is updated to include the latest source files.

 

[Porco]

Personally I find it inexcusable that apparently serious security bugs are not being patched in Snow Leopard/Lion. If people are suggesting you can compile it yourself with developer tools… doesn't that just prove Apple is putting some of its less advanced users at risk purely to try and sell them newer computers? I think it's fairly heinous behaviour if so.

As I've said numerous times before, no-one should expect eternal updates in terms of new features etc - that's what new versions of the OS are for, and what should attract users to upgrade. Of course it's unreasonable to expect Apple to develop new features for old OS versions that a few versions old.

However, when bad security vulnerabilities / flaws are discovered that apparently wouldn't take very much effort for Apple to patch, I think it's unconscionable to not provide security patches for machines that are otherwise still perfectly usable today other than having software Apple can't be bothered to support in the very slightest, narrow way. Apart from anything else, we know compromised machines are bad for everyone on the internet.

 

[MH01]

Actually, with Microsoft, you're going to get a lot LESS time than you used to have, starting with the end of Windows XP support that happened last year. Mainstream support for Windows 7, for instance, ends on January 13. And with the move from Windows 8.1 to Windows 10, the rapid release cycle is being adopted by Microsoft as well. The paradigms between he two aren't nearly as far apart as you might think.




Yeah, about that....

Your not getting a lot less at all, your mixing Xp end of support with windows 7 mainstream support to imply Microsoft has changed its cycles to be shorter. Windows 7 will be supported till 2020.

Windows 8 support ends in 2023. Nothing has changed, the paradigms between the two are far apart.

 

[Robert.Walter]

I have a 2007 MacBook Pro in *great* (not "old, beat up") condition. It runs just fine, does everything I want, and there is no reason whatsoever I should replace it . . . except that it cannot be upgraded past Lion, because Apple has artificially limited their support for this older hardware.

I don't plan on replacing it for a few more years, so I guess I'm just SOL WRT security issues until then :/

Best example of "biting off one's nose to spite their face" that I have heard in a long time!

 

[Michaelgtrusa]

This update auto downloaded and installed on my MBp, leaving a notification that all has been done. Gotta love it!

Did the same for me. Installed by it self.

 

[EdDuPlessis]

Heh...Gizmodo reported this was the first ever automatic update on OS X. In fact Apple updates malware definitions in the background all the time.

 

[Anitramane]

How do I get this update package without using the app store? I can't find it on the apple support page.

 

[EdDuPlessis]

YEP: Im running Yosemite on a 2008 Mac Pro. It runs awesome, but doesn't support handoff. Oh, well!

Just install a new Airport Bluetooth card from MacVidCards. At least you can upgrade bits, most Macs get stuck with old standards.

 

[throttlemeister]

If Apple would take security seriously, they wouldn't be running something like ntp as root. There is no reason whatsoever that a daemon like ntp needs to run as root and OS X is probably the only system in the world that still does.

 

[GraniteTheWolf]

Here's another option for you: Turn off automatic time synching on Snow Leopard.

To be clear- turning off "set date and time automatically" in the Date & Time preferences closes off this security flaw for snow leopard? I have a 2006 c2duo iMac as a 3rd monitor I use for light tasks or use as TV/entertainment when my mac pro is rendering or busy.
Sometimes I also poke around on eBay with it but I have never logged into paypal or any other really important services with it.

Only side effect of this is to update the time manually every once in a while when it drifts out of time. No biggie there. This old cheap imac serves what I want perfectly.
It wouldn't kill me to have to sell it for a 20" newer one that can at least run mountain lion, I do plan to upgrade to one eventually anyway. I just don't want to right now because this old girl still has some life left for what I need it for.

Update went fine on my 2012 mac pro & 2010 macbook pro.

 

[kwokaaron]

Is it possible to 'force install' the Mountain Lion patch on a Lion system using pacifist? Or will that crash it or something?

 

[NSeven]

Don't see what everyone's getting all worked up about..

This fix is only really for users who run a stratum zero authority server. (Internet Time Server)

But its good that they have released for all users so fast.

 

[tywebb13]

How do I get this update package without using the app store? I can't find it on the apple support page.

They are there now:

Yosemite:

http://support.apple.com/kb/DL1782

Mavericks:

http://support.apple.com/kb/DL1783

Mountain Lion:

http://support.apple.com/kb/DL1781

Alternatively, use the direct links instead, which I posted earlier:

Here are the links:

Yosemite:

http://swcdn.apple.com/content/down...rhk71sugqqfuzgojq6lwg0s/NTPUpdateYosemite.pkg

Mavericks:

http://swcdn.apple.com/content/down...m82vcazio5r7p9wienvf8c/NTPUpdateMavericks.pkg

Mountain Lion:

http://swcdn.apple.com/content/down...71kg0zyyj7wza9kr140/NTPUpdateMountainLion.pkg

 

[lowendlinux]

You can install Yosemite on 7-year-old iMacs, hot shot.

And you can install 8.1 on a 7 year old computer too, but that's not the point.

 

[Badagri]

To be clear- turning off "set date and time automatically" in the Date & Time preferences closes off this security flaw for snow leopard? I have a 2006 c2duo iMac as a 3rd monitor I use for light tasks or use as TV/entertainment when my mac pro is rendering or busy.
Sometimes I also poke around on eBay with it but I have never logged into paypal or any other really important services with it.

Only side effect of this is to update the time manually every once in a while when it drifts out of time. No biggie there. This old cheap imac serves what I want perfectly.
It wouldn't kill me to have to sell it for a 20" newer one that can at least run mountain lion, I do plan to upgrade to one eventually anyway. I just don't want to right now because this old girl still has some life left for what I need it for.

Update went fine on my 2012 mac pro & 2010 macbook pro.

It's one of the reasons I've turned it off on Windows and Mac for so long. To see how slow or far ahead the time drifts.

 

[rdlink]

New versions of OS X have a lot of bugs and are usually slower than previous versions.

Not sure if you noticed, but I run those same operating systems, also. Where are your metrics for that broad, unfounded statement?

 

[fivenotrump]

Don't see what everyone's getting all worked up about..

This fix is only really for users who run a stratum zero authority server. (Internet Time Server)

But its good that they have released for all users so fast.

Not so: any public-facing NTP server - can be any stratum