Apple Pushes Out Automatic Security Update for First Time

Apple has taken the unprecedented step of releasing an automatic update for its users to patch several major new flaws affecting the Network Time Protocol (NTP) in its Mac OS X operating system.

The Cupertino giant pushed out the security patch on Monday, after the vulnerabilities were revealed last Friday, according to Reuters.

Although it distributed functionality allowing for automatic updates two years ago, the computing giant had apparently never used it before this week.

"The update is seamless," spokesman Bill Evans told the newswire. "It doesn’t even require a restart."

The NTP flaws were first revealed in an advisory on Friday by the US government-backed ICS-CERT, after research by the Google Security Team.

They relate to the Network Time Protocol, which is used by internet-connected computers to set their clocks accurately.

Products using NTP versions prior to v.4.2.8 are affected by the flaws, which could allow an “attacker to execute arbitrary code with the privileges of the ntpd process.”

The advisory continued:

“Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

Ken Westin, senior security analyst at Tripwire, argued that even automated updates can cause problems to some systems.

“Apple’s proactive steps to automatically remediate this particular vulnerability shows the need to quickly patch remotely exploitable vulnerabilities. However, the use of Apple’s automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case the update may have been so minor the risk of affecting other applications and processes was minimal,” he argued.

“If you have a Mac system where an automatic update might introduce a problem, or are the paranoid type, the functionality can be disabled by going to the Apple Menu > App Store  and unchecking 'Install system data files and security updates'." 

What’s Hot on Infosecurity Magazine?