Apple releases OS X NTP Security Update; Mac users advised to install ASAP

Apple Inc. ^ | December 22, 2014

[Swordmaker]

Apple today released OS X NTP Security Update for Yosemite, Mavericks, and Mountain Lion.

Install this update as soon as possible.

This update addresses a critical security issue with the software that provides the Network Time Protocol service on OS X, and is recommended for all users.

Apple digitally signs its software updates to ensure the authenticity of update packages. Software Update automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete. See < HREF="http://support.apple.com/en-us/HT202369">this article for details on how to verify the authenticity of this download.

For more information on the security content of this update see Support.apple.com

OS X NTP Security Update is available via Software Update.

OS X NTP Security Update is also available via manual download. More info and download links:

• OS X NTP Security Update: OS X Yosemite

• OS X NTP Security Update: OS X Mavericks

• OS X NTP Security Update: OS X Mountain Lion

[Swordmaker]

Important Network Time Protocol Security Update for OS X Lion, Mavericks, and Yosemite now available. Use Software update — PING!

Apple OS X Network Time Protocol Security Update Ping!

If you want on or off the Mac Ping List, Freepmail me.

[PA Engineer]

Thanks. Updated. Interested in knowing the extended issues involved with this. I’m sure the Fud Packers (FP) will tell us. BTTT.

[Mark17]

Thanks for posting this. I had it updated within a few minutes of seeing this.

[Gene Eric]

NTP was recently a pain in the ars for me... a BS mount issue NTP caused shutout PAM related logins...

chkconfig ntp off

There's the quick fix...

[Pontiac]

Still using Tiger

[dayglored]

You might want to point out that the vulnerability is in NTP itself, not in only the Mac’s use of it. Looks like it’s in the NTP sources, which affect a lot of OSes, if I’m reading this correctly:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295

[PIF]

Still using Snow Leopard ...

[PIF]

Mountain Lion Security update link not right.

Correct one here:

http://support.apple.com/kb/DL1781?viewlocale=en_US&locale=en_US

[zeugma]

I looked, and noticed NTP was amongst my Fedora updates pending. Don’t know if it’s a fix of the same thing, but I went ahead and installed it.

[kevkrom]

My MBP auto-updated, so I’m good.

[DigitalVideoDude]

It freaked me out to see an update applied that I did not have to approve. I didn’t like it. It seemed suspicious. So, I did some research and found that Apple pushed this security update using a system that does not require user interaction. Ugh. Sounds like another potential exploit vector.

[bubbacluck]

I was surprised by the auto-update as well. Thanks for the information.

[conservatism_IS_compassion]

Update done; thanks for the ping!

[conservatism_IS_compassion]

Update done; thanks for the ping!

[johniegrad]

Thanks for the head’s up. It was fast.

[dayglored]

Yeah this applies to all systems and OSes with NTP, Linux, BSD, etc.

[Swordmaker]

It freaked me out to see an update applied that I did not have to approve. I didn’t like it. It seemed suspicious. So, I did some research and found that Apple pushed this security update using a system that does not require user interaction. Ugh. Sounds like another potential exploit vector.

Why are you surprised. At some point you set your App Store update preferences to automatically install updates, specifically system data files and security updates (those are the things that keep your Mac safe):

[Swordmaker]

Yeah this applies to all systems and OSes with NTP, Linux, BSD, etc.

Thanks for the info on the universality of this NTP flaw extending to all *nix type operating systems.

[MediaMole]

These days, it seems everyone is sharing the same code base and the same vulnerabilities.