Apple Issues Network Time Protocol Security Fix for OS X Users

[mreed911]

I believe that it has to be some sort of degenerate psychosis created by the anonymity of the internet. People have evolved over the last 20 years or so as the internet evolved to take pleasure in the misfortune of others.

This has nothing to do with the internet. This is and always has been a part of being human.

Its almost like the thrill of hacking a computer and knowing that you have ruined lives without being caught is the thing and the money is just the icing on the cake.

Exactly. It's a power crime, not a property crime. Much like rape isn't a sexually-motivated crime as much as a power-driven crime and arson isn't a property-motivated crime (outside of fraud) as much as a sex crime where the actor "gets off" on the power.

 

[warnergt]

Actually, I do lump Snow Leopard – since you care to name this particular version – in the same legacy camp as DOS.

That's because you haven't thought this out.

DOS apps still run in Windows.
However, there are many apps that run on Snow Leopard that do not run on Yosemite. Microsoft didn't abandon its customers.

With all those billions of dollars, Apple refuses to support its customers.
Imagine having a 3.0 GHz, 8-core Mac Pro machine that Apple has rendered obsolete.

Tim Cook sure talks a lot about being "green" but his practices put more Macs in the landfill (and more dollars in his pocket). He is a hypocritical piece of crap.

 

[LV426]

That's because you haven't thought this out.

DOS apps still run in Windows.
However, there are many apps that run on Snow Leopard that do not run on Yosemite. Microsoft didn't abandon its customers.

With all those billions of dollars, Apple refuses to support its customers.
Imagine having a 3.0 GHz, 8-core Mac Pro machine that Apple has rendered obsolete.

Tim Cook sure talks a lot about being "green" but his practices put more Macs in the landfill (and more dollars in his pocket). He is a hypocritical piece of crap.

Incorrect. Microsoft has abandoned support for XP. I still use it occasionally because I do run a specific legacy application from time to time. But since XP is now highly vulnerable to network attacks, I do so with its network adapter disabled (as well as being in a VM). It's a legacy OS running legacy apps. I do not blame MS for discontinuing support, as it's had its day.

One big difference between MS and Apple, however, is that the latter has made a commitment that OS upgrades will be free. MS are in no position to do that, as the OS is their bread & butter.

Please don't use offensive language here. You're not doing yourself any favours.

 

[bernuli]

There has been no mention, so I assume iOS 8 is not affected?

Any way to tell if my older iOS devices are running ntpd?

 

[G4DP]

It did this to me as well on my wife's new 2013 iMac. I also have everything set so it needs permission to install updates. I only saw it very briefly as a notification as the update being available and then immediately a notification thereafter that it was installed. The notifications disappeared very swiftly.

On her 2011 Macbook Air and my 2012 iMac it showed up as a normal update in the app store. I haven't checked my 2013 Mac Pro yet, but it is turned off so it can wait til morning. All other machines were in sleep mode. The new iMac has power nap enabled. Maybe that's why it installed automatically.

Yet it is very annoying indeed, especially that there's no record of the install to be found. The NTP security update doesn't even show up in the software updates section in the app store apps under "updates installed the last 30 days". And there's no notification history either which is even more annoying. To be honest I find that very strange and suspicious.

Is this normal behaviour?

Might depend on the hardware and OS combination. I had to enter the MAS to install it. It still shows up as installed. On a 2008 Mac Pro with Mavericks.

 

[Riot Nrrrd]

There has been no mention, so I assume iOS 8 is not affected?

Any way to tell if my older iOS devices are running ntpd?

iOS does not come with the ntpd daemon.

Jailbroken iDevices can install NTPdate 2.0, but that just polls a server, it does not run as a persistent daemon that constantly checks & updates the time from a designated remote server like ntpd does on Mac OS X. You have to run it manually.

 

[Jeremy3]

I'm running Lion on my mac mini - is there a patch available?

I checked in software updates and it says that everything is up to date.

 

[Traverse]

Personally I find it inexcusable that apparently serious security bugs are not being patched in Snow Leopard/Lion.

Especially since Lion isn't "ancient" yet and is the last supported OS for several Macs.

I hate it that OS X updates are now free because Apple can use the excuse "it's free so why not update your system!?" Well, I'm on Mavericks so I still have 2/3 years of support before I'm left in the dust. It's even more annoying because Lion -> Mt Lion -> Mavericks were all refinements on the current form of OS X and Yosemite is the new form. I'm not complaining about aesthetics, but usability was hindered in Yosemite. I shouldn't be forced to update to less usable (for me) OS just because Apple won't support "old" OSes.

----------

Even some windows computers sold TODAY do not support all of Windows 7 features. So, what you expect from Apple is completely odd.

The PCs aren't made by the same company that makes the OS. Apple prideful claim is exactly what makes this situation different.

 

[HenryAZ]

Thanks. This is a very different perspective from some who posted that the vulnerability is quite high.

The vulnerability is quite high, but it is exploited when you serve time, not when you merely sync from another server. The issue with ntpd is that the same program acts as both a server and a client, so having it running at all means you are a potential time server (other clients can connect to your "server" and sync with your time, or do bad things).

OS X's default config file has had this locked down for quite a few versions now (Snow Leopard is the oldest I have on hand to check). This lockdown (the "noquery" config statement), mitigates 5 of the 6 new vulnerabilities without any patching needed. And the sixth involves configuration changes to the default OS X config that most folks are not even likely to understand, much less invoke.

Beyond that, if you are behind a NAT router, your ntp server port is not open to the Internet to be exploited, unless you specifically port-forwarded to it. Though it could still be exploited on a local LAN.

 

[Riot Nrrrd]

Especially since Lion isn't "ancient" yet and is the last supported OS for several Macs.

In this case it's particularly heinous because the fix is just a binary or two and a config file. It wouldn't have killed Apple to build new versions for Leopard/Snow Leopard given how serious they seem to think the vulnerability is (which seems strange as, as HenryAZ notes, 5 of the 6 new CVE's are blocked by the "noquery" default option in one of the NTP config files).

 

[Riot Nrrrd]

This lockdown (the "noquery" config statement), mitigates 5 of the 6 new vulnerabilities without any patching needed. And the sixth involves configuration changes to the default OS X config that most folks are not even likely to understand, much less invoke.

What is the 6th? (I'll understand it.)

BTW, last night I downloaded the Mavericks version of the Apple Open Source project for ntpd ("ntp-88") and it builds out of the box with Xcode 3.2.6 on Snow Leopard (albeit with lots of warnings). (The current ntp-92 version for Yosemite will not build, due to a missing OS include file.)

Unfortunately the differences between ntpd 4.2.6 and 4.2.8 are sufficiently vast that I can't cherry-pick the changes that would close the 6 CVE's and apply them to the ntp-88 source code tree to build a new binary that could be distributed.

Hopefully Apple will update the ntp-88 source tree to match their newly-fixed binary soon.

Meanwhile if you want to see the gory details of what vulnerabilities were fixed, look here.

 

[HenryAZ]

It wouldn't have killed Apple to build new versions for Leopard/Snow Leopard given how serious they seem to think the vulnerability is (which seems strange as, as HenryAZ notes, 5 of the 6 new CVE's are blocked by the "noquery" default option in one of the NTP config files).

And the sixth is mitigated as long as you don't have any config statements beginning with "crypto".

But, blocking, or mitigating, a vulnerability should not be considered a fix, only a temporizing move. It's always better to fix all of them, as Apple did. Some people actually use their Mac as a time server, to serve Internet time to other machines (though there are better choices of OS to do this with).

 

[AlecZ]

"As noted by Reuters, this update marks the first time Apple has deployed an automatic security update, which can be installed without user authorization."

Did Apple deploy it by exploiting the bug in ntpd?

----------

That's because you haven't thought this out.

DOS apps still run in Windows.
However, there are many apps that run on Snow Leopard that do not run on Yosemite. Microsoft didn't abandon its customers.

With all those billions of dollars, Apple refuses to support its customers.
Imagine having a 3.0 GHz, 8-core Mac Pro machine that Apple has rendered obsolete.

Tim Cook sure talks a lot about being "green" but his practices put more Macs in the landfill (and more dollars in his pocket). He is a hypocritical piece of crap.

Wait, my Mac Pro isn't obsolete! It can still run Yosemite if I want to (which I don't). Anyway, the point still stands. Apple's claim of being "green" is utter nonsense. They sell hardware, and they want to make sure they sell a lot of it.

----------

Fine, it's your choice. Don't upgrade your OS ever again. It's entirely your choice. I guess there are some people still using DOS who don't want to be troubled by bothersome new features such as access to the Internet or PNG graphics. Good luck to them if they're happy with what they've got.

Nothing on the scale of the Internet developed within the past four years. Four OS X updates did. Aside from iMessage and iCloud support, I couldn't care less about anything they added, with the exception of small fixes that would have otherwise just been minor revisions if there weren't updates. Really, I've never known anyone who does care besides strangers on MacRumors. At this point, I just stay with the oldest thing that can run the newest Xcode.

I'd probably update every 6 years if I wasn't forced by anything like security flaws or Xcode, probably getting a new computer each time. Apple does add new features, just not enough with each OS release to make it worthwhile to update more frequently.

 

[iolinux333]

There has been no mention, so I assume iOS 8 is not affected?

Any way to tell if my older iOS devices are running ntpd?

I'm wondering about all my Android devices as well.

I am so sick of this BS, and continual updates if everything all the time. In ready to go back to ink quill and parchment. That stuff lasts centuries and never goes out of date.

 

[DCIFRTHS]

The vulnerability is quite high, but it is exploited when you serve time, not when you merely sync from another server. The issue with ntpd is that the same program acts as both a server and a client, so having it running at all means you are a potential time server (other clients can connect to your "server" and sync with your time, or do bad things)...

Beyond that, if you are behind a NAT router, your ntp server port is not open to the Internet to be exploited, unless you specifically port-forwarded to it. Though it could still be exploited on a local LAN.

Do you know if disabling the NTP function on a home router would be enough to stop any potential vulnerabilities?

I am personally using a D-Link DIR-655, but I'm sure that many/most hone routers use the service/server to set the time.

 

[SlCKB0Y]

I believe that it has to be some sort of degenerate psychosis created by the anonymity of the internet. People have evolved over the last 20 years or so as the internet evolved to take pleasure in the misfortune of others. Its almost like the thrill of hacking a computer and knowing that you have ruined lives without being caught is the thing and the money is just the icing on the cake.

People haven't evolved and people haven't changed - they've always been like this. The internet just gives them an easier way to express their destructive and antisocial impulses.

 

[SlCKB0Y]

If Apple would take security seriously, they wouldn't be running something like ntp as root. There is no reason whatsoever that a daemon like ntp needs to run as root and OS X is probably the only system in the world that still does.

FreeBSD runs ntpd as root.

 

[SlCKB0Y]

Please don't use offensive language here. You're not doing yourself any favours.

1. Most normal adults would not consider the word "crap" in the context of the internet to be offensive.

2. This forum filters "obscene" words like **** etc and the fact that they have explicitly not filtered the word "crap" is tacit approval for it's use in this forum.

3. Who made you the morality police?



----------

Incorrect. Microsoft has abandoned support for XP. I still use it occasionally because I do run a specific legacy application from time to time.

What's your point? You can run various DOS applications on Windows versions after XP.

 

[LV426]

1. Most normal adults would not consider the word "crap" in the context of the internet to be offensive.

2. This forum filters "obscene" words like **** etc and the fact that they have explicitly not filtered the word "crap" is tacit approval for it's use in this forum.

3. Who made you the morality police?



----------



What's your point? You can run various DOS applications on Windows versions after XP.

Describing someone as being a 'piece of crap' is to say that they are a pile of faeces. It's witless offence. That's not the same as saying that something is crap (adjective), which has an entirely different context. Just so you know.

My point? I stated that DOS is legacy. I deal with legacy systems daily. DOS, and the applications it runs, is legacy.

 

[Daysight]

I am so sick of this BS, and continual updates if everything all the time. In ready to go back to ink quill and parchment. That stuff lasts centuries and never goes out of date.

A common saying in the ancient Roman civil service was "don't write it down if you don't want it to leak out", or old Latin words to that effect. Security problems are as old as humanity.

 

[iolinux333]

A common saying in the ancient Roman civil service was "don't write it down if you don't want it to leak out", or old Latin words to that effect. Security problems are as old as humanity.

I am so done with filthy crap faeces humanity. I wash my hands of it.

 

[Windlasher]

People haven't evolved and people haven't changed - they've always been like this. The internet just gives them an easier way to express their destructive and antisocial impulses.

I thought I covered that when I said "degenerate psychosis created by the anonymity of the internet" but yeah.. ok.

----------

I'm wondering about all my Android devices as well.

I am so sick of this BS, and continual updates if everything all the time. In ready to go back to ink quill and parchment. That stuff lasts centuries and never goes out of date.

Let us know how your music sounds written down.

 

[HenryAZ]

Do you know if disabling the NTP function on a home router would be enough to stop any potential vulnerabilities?

I am personally using a D-Link DIR-655, but I'm sure that many/most hone routers use the service/server to set the time.

Stopping ntp on your router's OS would certainly protect the router's OS, but has nothing to do with what sits behind your router, such as your Mac or other client machines.

And that brings up a real problem with updating ntp on embedded devices like routers, where you only have a limited ability to configure the service, and are unlikely to receive any updates.

You can use your router's firewall ability to block inbound ntp queries to the router's wan interface. Write a rule that specifically blocks port UDP/123 inbound to your router's wan port. Some router OS's will do this if you only permit "established" connections.

 

[octothorpe8]

Of the three Macs I have, all running Yosemite (2013 Mini at work; 2012 Mini at home, 2013 Air at home), not one of them installed the patch without intervention. Not a huge deal, but strange.

 

[SlCKB0Y]

The vulnerability is quite high, but it is exploited when you serve time, not when you merely sync from another server.

Are you sure?
http://www.kb.cert.org/vuls/id/852879

The NTP Project ntpd version 4.2.7 and pervious versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities affect ntpd acting as a server or client.