Apple Issues Network Time Protocol Security Fix for OS X Users

[Keirasplace]

FreeBSD runs ntpd as root.

Freebsd and OSX are related, so that explains things. In fact, others, such as Linux, do run as a kind of root (capabilities), but only give access to certain root level resources (in this case : system time).

Strangely enough, that's still enough to wreck havoc since a lot of other hacks depend on messing up system time. So, being to compromise system time could lead to intrusions on other vulnerabilities.

 

[HenryAZ]

Are you sure?
http://www.kb.cert.org/vuls/id/852879

Not 100%. I'm not sure the maintainers are 100% positive just yet what all holes there are.

The vulnerability involving the crypto keyword, seems to affect you in either role. This involves an association where client and server are exchanging time information using cryptographic authentication.

The other five, I don't see how they could affect you as a client when restrict....noquery will protect you. Part of the confusion is that when ntpd is running, it is always running as both a server and a client.

You may be only syncing time by requesting time from a server, but your own machine is open and listening as a potential time server, so someone else could query your server. Even with noquery in your config, someone could still use your server to request a time sync from, they just cannot use other tools (like ntpq) to query your server for further information. It is the other query tools that can exploit the vulnerabilities, to my understanding.

These other query tools were what were being used a year ago when the ddos amplification attacks using ntp reflection started up. Patches and advisories were issued then, again suggesting using restrict....noquery as a line of defense.

 

[lhammer610]

The vulnerability is quite high, but it is exploited when you serve time, not when you merely sync from another server. The issue with ntpd is that the same program acts as both a server and a client, so having it running at all means you are a potential time server (other clients can connect to your "server" and sync with your time, or do bad things).

OS X's default config file has had this locked down for quite a few versions now (Snow Leopard is the oldest I have on hand to check). This lockdown (the "noquery" config statement), mitigates 5 of the 6 new vulnerabilities without any patching needed. And the sixth involves configuration changes to the default OS X config that most folks are not even likely to understand, much less invoke.

Beyond that, if you are behind a NAT router, your ntp server port is not open to the Internet to be exploited, unless you specifically port-forwarded to it. Though it could still be exploited on a local LAN.

OK, if I can interpret for those of us who are not tech oriented, that use a Mac in a typical home: Your home Mac is protected behind a firewall in your router and/or modem. Unless your firewall is turned off, or you muck around in the settings, this is a non-issue for you.

Is this correct?

 

[HenryAZ]

OK, if I can interpret for those of us who are not tech oriented, that use a Mac in a typical home: Your home Mac is protected behind a firewall in your router and/or modem. Unless your firewall is turned off, or you muck around in the settings, this is a non-issue for you.

Is this correct?

Yes. Even for Snow Leopard, which got no patch, if you are behind a NAT router and don't mess with the ntp config files, beyond specifying a server to sync from, you are OK.

 

[Michael Goff]

1. Most normal adults would not consider the word "crap" in the context of the internet to be offensive.

2. This forum filters "obscene" words like **** etc and the fact that they have explicitly not filtered the word "crap" is tacit approval for it's use in this forum.

3. Who made you the morality police?

😕

----------



What's your point? You can run various DOS applications on Windows versions after XP.

Only with a DOS emulator.

 

[SlCKB0Y]

Not 100%. I'm not sure the maintainers are 100% positive just yet what all holes there are.

The NTP Project was notified about the vulnerabilities nearly 2 weeks before the OS vendors.

 

[HenryAZ]

The NTP Project was notified about the vulnerabilities nearly 2 weeks before the OS vendors.

Given that these vulnerabilities have been there for more than 10 years, I stand by my assessment that the maintainers do not yet know where all the holes are. And this can be stated for just about any software package out there. How many recently discovered holes are years old (OpenSSL, for example, or many Windows vulnerabilities).

Not only that, things that were never considered a "hole" become one when hackers discover a new way to exploit something. Take ddos amplification attacks. These depend only on a simple, tiny UDP query returning a much larger packet in response. That was at least easy to patch in ntp last year, but it remains a big problem for dns.

 

[matt9013]

Are firewalls automatically turned on in routers? Just got a new router from CenturyLink about a year ago and never turned the firewall on. I just plugged it in and set the wireless up.

I'm so stupid but I got my iMac around September and just turned the firewall on. Never knew it had an on switch before 😱. My iMac is fine and I'm not worried as it runs smooth with nothing suspicious but luckily it's on now.

 

[tivoboy]

mountain lion crash

So, I never remember getting this on one of my ML rMBP machines and didn't notice anything in appstore for updates… but, i DID experience a WICKED crash, really never had one on this machine before but just total freeze up (after plugging in a thunderbolt ethernet adaptor - could have been a coincidence though) and got the GREY SCREEN OF DEATH..

could this has been either this trying to install, or a HACK? any way to test this out for either - confirm if this is already installed or if there was a breach - I WAS on an insecure wifi at a hotel at the time..man I hate that.

 

[mallwitt]

Mainstream support for Windows 7, for instance, ends on January 13.

Ending Mainstream support is not the same as ending support, which for Windows & is January 14, 2020. After 1/15/2015, Non-security update support, new designs and features, and "no-charge support" programs (free support with the purchase of the OS) ends, but security updates and paid support will continue to 1/14/2020.

Say what you will about MS, they are unrivaled at supporting old hardware and software. I have managed to install Windows 7 on an ancient PC (pentium III, it didn't run well, but it did run), and Windows 95 on a bleeding edge computer (don't ask). Due to code considerations, my workplace still runs a number of W2K3 servers and 2 or 3 XP machines that we pay MS for support (yes, we are getting off them asap). Apple doesn't come close, I understand why, but this is not something you can bash MS for.


http://windows.microsoft.com/en-us/windows/lifecycle

http://support2.microsoft.com/gp/lifepolicy

 

[mallwitt]

Only with a DOS emulator.

Which is kind of the point. PowerPC apps used Rosetta as their emulator and Apple killed it. At least on MS platforms the emulator still exists. And yeah, you can run 10.6 in VMWare or something, but then you are in essence running a virtual machine to run a virtual machine, Thanks Apple.

 

[Michael Goff]

Which is kind of the point. PowerPC apps used Rosetta as their emulator and Apple killed it. At least on MS platforms the emulator still exists. And yeah, you can run 10.6 in VMWare or something, but then you are in essence running a virtual machine to run a virtual machine, Thanks Apple.

Why hasn't anyone made a new PPC emulator? Could it have been determined to be not worth the effort?

 

[HyperZboy]

Even some windows computers sold TODAY do not support all of Windows 7 features. So, what you expect from Apple is completely odd.

I am a bit miffed my 1970 Ford Cortina doesn't have ABS and Satnav. So short sighted of Ford back then.

There's no reason for a late model $5000 Mac Pro, just before the current release to not support these features. It's not a tech issue.

You're comparing Apple to Oranges. I'm not talking about buying a junk PC and complaining it doesn't work well! HAHA!

We're talking about a tricked out Mac Pro! BIG DIFFERENCE!

If you buy a junk PC, you deserve all the stress you get. 😀

 

[shiekh]

NTP bug and PPC

It is possible to compile NTP 4.2.8 for the PPC 10.5

http://www.macissues.com/2014/12/24/how-to-manually-patch-ntp-for-os-x-10-6-and-10-7/

I have made an installer for the resulting binaries, but since I am a neophyte it is at your own risk.

 

[m4v3r1ck]

Apple Issues Network Time Protocol Security Fix for OS X Users

EDIT: updated to 10.10.1 and installed the NTP security fix already.

Forgive me my (noob) questions! Why is the update/patch not working for OS X 10.10, yet ONLY 10.10.1? Does the NTP differ that much in both versions, was it updated for 10.10.1? Why does this critical security update not aply for "OS X 10.10 or later"?

Note that it's not a matter that I don't want to upgrade to 10.10.1, but I always wait and read the threads, trying to get to know a new OS X release myself first.

Cheers