First time ever in the History, Apple Inc. has pushed out an automatic security update for Macintosh OS X computers to address a critical security issue that, according to the company, was too risky to wait for users to patch after seeking their prior approval.
Despite having the ability for years to silently and automatically update its users computers, Apple typically asks its users' permission to approve them manually or automatically before installing any security update of this kind. But, the company has exercised its ability for the very first time to patch a critical security flaw in a component of its OS X operating system called the Network Time Protocol (NTP).
This newly discovered security vulnerability, assigned CVE-2014-9295, became public late last week and affects all operating systems, including OS X and other Linux and Unix distributions, running versions of NTP4 prior to 4.2.8. NTP is used for synchronizing clocks between computer systems and across the global internet.
TURNING YOUR MAC INTO DDOS ZOMBIES
Once exploited, the NTP vulnerability can allow an attacker to remotely execute an arbitrary code on a system using the privileges of the ntpd process. The security hole in NTP would give hackers ability to turn users' Macs into DDoS zombies. However, no security firms have reported any cases of hackers exploiting this vulnerability.
NTP is a global way of synchronising time over a network, and because of its link to networks it has previously been exploited by hackers a number of times. At the beginning of the year, NTP was used to launch 300Gbps DDoS attack against Internet blacklist maintainer Spamhaus. Also in February 2014, the record breaking 400Gbps DDoS attack was launched against content-delivery and anti-DDoS protection firm CloudFlare by leveraging weaknesses in NTP.
The Carnegie Mellon University Software Engineering Institute identified the critical flaw which was made public on Friday by the Department of Homeland Security. The vulnerability affects dozens of technology companies' products including Apple's.
"As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices," ICS-CERT wrote in an advisory published Tuesday. "Products using NTP service prior to NTP–4.2.8 are affected. No specific vendor is specified because this is an open source protocol."
UPDATE YOUR SYSTEMS NOW
The company recommends that all users apply this patch "as soon as possible." The update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1 and is available for download via the "updates" section of the Mac App Store. The update doesn't require a restart.