Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
66,361
35,431



Apple today released a new security update that's designed to address a "critical security issue" with the Network Time Protocol service on OS X. Apple recommends that all Yosemite, Mavericks, and Mountain Lion users install the update "as soon as possible."

applesecurityupdate-800x202.jpg
The update appears to address a problem that was highlighted by the U.S. Government on Friday, December 19 and originally discovered by the Google Security Team. The vulnerability has the potential to allow an attacker to execute arbitrary code using the privileges of the ntpd process.
Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.

These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.

Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
Apple has faced several vulnerabilities over the course of 2014, most recently releasing an OS X bash update in September to fix the "Shellshock" security flaw. Today's security update can be downloaded from the Mac App Store.

Update: As noted by Reuters, this update marks the first time Apple has deployed an automatic security update, which can be installed without user authorization.

Article Link: Apple Issues Network Time Protocol Security Fix for OS X Users
 
You have to love the ingenuity / desperation of hackers. Instead of getting a job or writing code that would actually be useful and that people would pay for, they sit around figuring out the most obtuse ways to exploit a computer.

When a stupid game like Flappy Birds can make 20K per day, I'm hard pressed to believe that hacking computers and sending out SPAM is more profitable.
 
You have to love the ingenuity / desperation of hackers. Instead of getting a job or writing code that would actually be useful and that people would pay for, they sit around figuring out the most obtuse ways to exploit a computer.

When a stupid game like Flappy Birds can make 20K per day, I'm hard pressed to believe that hacking computers and sending out SPAM is more profitable.

Plenty of people out there that try with those scam eBay/PayPal/Apple emails and so on. It really is depressing just to know that there are some who dedicate almost all of their time to trying to reap from the misfortune of others online. :(
 
Good to see a security fix so quick. Installed, easy and quick.
 
You have to love the ingenuity / desperation of hackers. Instead of getting a job or writing code that would actually be useful and that people would pay for, they sit around figuring out the most obtuse ways to exploit a computer.

When a stupid game like Flappy Birds can make 20K per day, I'm hard pressed to believe that hacking computers and sending out SPAM is more profitable.

Sometimes they are not out there for the money. Some just want control of the computer to do stuff or to gain as much personal info they can for various reasons. Lots of money in that also in some markets. But yea they do find clever ways around a system through.
 
Plenty of people out there that try with those scam eBay/PayPal/Apple emails and so on. It really is depressing just to know that there are some who dedicate almost all of their time to trying to reap from the misfortune of others online. :(

I'm having a hard time believing that it is actually motivated by money as much as it used to be since there are so many (easier) ways to make money online.

I believe that it has to be some sort of degenerate psychosis created by the anonymity of the internet. People have evolved over the last 20 years or so as the internet evolved to take pleasure in the misfortune of others. Its almost like the thrill of hacking a computer and knowing that you have ruined lives without being caught is the thing and the money is just the icing on the cake.
 
Sometimes they are not out there for the money. Some just want control of the computer to do stuff or to gain as much personal info they can for various reasons. Lots of money in that also in some markets. But yea they do find clever ways around a system through.

Plus the fact it's a big game.
 
Yes.

On Snow Leopard you have two options:

1. Upgrade OS X
2. Install Xcode if you haven't already, and use brew, macports or compile the fixed ntp direct from source code to update it.

I simply turned off auto-update, and made a note to briefly turn it back on once a month.
 
I'm having a hard time believing that it is actually motivated by money as much as it used to be since there are so many (easier) ways to make money online.

I believe that it has to be some sort of degenerate psychosis created by the anonymity of the internet. People have evolved over the last 20 years or so as the internet evolved to take pleasure in the misfortune of others. Its almost like the thrill of hacking a computer and knowing that you have ruined lives without being caught is the thing and the money is just the icing on the cake.

Evolution takes a lot longer than a mere twenty years. :D

If that's all it takes, then I can't wait till I grow some gills so that I can finally breathe underwater.

At any rate, the type of people you describe did not "evolve" or change due to the Internet. They have always been the type of person they are, and if the Internet wasn't around, they would find some other way to satisfy whatever need they have.
 
Is Snow Leopard impacted?

Yes it is, but apparently Apple no longer cares about the security of their Snow Leopard and Lion customers. You either upgrade your perfectly good software (if you can) or you're on your own.

Well, you could just buy a new Mac, which is what Apple wants you to do anyway.
 
1.4? I can install it using my floppy drive.

Not your 1.2 floppy... :)

----------

Yes it is, but apparently Apple no longer cares about the security of their Snow Leopard and Lion customers. You either upgrade your perfectly good software (if you can) or you're on your own.

Well, you could just buy a new Mac, which is what Apple wants you to do anyway.

Snow Leopard is approaching being 6 years old...

Here's another option for you: Turn off automatic time synching on Snow Leopard.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.