Apple releases critical security update for OS X NTP services vulnerability

Posted:
in macOS edited December 2014
Apple on Monday pushed out an update addressing a "critical security issue" for OS X concerning a vulnerability discovered in the Network Time Protocol service, affecting Mac users running OS X Yosemite, Mavericks and Mountain Lion.

OS X Yosemite


According to Apple's Support website, the update targets a number of issues with OS X Network Time Protocol daemon (ntpd) software that allows remote attackers to trigger buffer overflows, which can be leveraged to execute arbitrary code on a target Mac. The Google Security Team made the discovery earlier this month.

Users can verify their ntpd version by opening Terminal and typing what /usr/sbin/ntpd. With the update installed, users should see the following versions:

Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1

Users can find the update via Software Update or already downloaded if the "Install system data files and security updates" option is checked in the App Store menu of System Preferences.
«1

Comments

  • Reply 1 of 23
    "...buffer overflows, which can be leveraged to execute arbitrary code on a target Mac..."

    [COLOR=blue]This is such an elementary way to break into a system, how could anyone, especially Apple, let it happen in this day and age??[/COLOR]

    I don't mean this as an indictment of Apple, I'm seriously asking the question.
  • Reply 2 of 23
    crowleycrowley Posts: 10,453member

    I wonder if this means alarms clocks will work this year?

     

    /s

  • Reply 3 of 23
    jfc1138jfc1138 Posts: 3,090member
    Quote:

    Originally Posted by Macky the Macky View Post



    "...buffer overflows, which can be leveraged to execute arbitrary code on a target Mac..."



    This is such an elementary way to break into a system, how could anyone, especially Apple, let it happen in this day and age??



    I don't mean this as an indictment of Apple, I'm seriously asking the question.



    So how would you exploit this? Some elementary sample code would be appreciated.

     

    Seriously asking the question

  • Reply 4 of 23
    droidftwdroidftw Posts: 1,009member
    Everyone, all together now, "Thanks Google for making Apple's products more secure."
  • Reply 5 of 23

    How interesting. Daniel Eran Dilger's usually the first one to vociferously trumpet such vulnerabilities, especially when they pertain to Android, so I'm surprised he missed this one...

  • Reply 6 of 23
    crowleycrowley Posts: 10,453member
    Quote:

    Originally Posted by Lord Amhran View Post

     

    How interesting. Daniel Eran Dilger's usually the first one to vociferously trumpet such vulnerabilities, especially as they pertain to Android, so I'm surprised he missed this one...


     

     

    I think that either needs a /s or a bunny-rabbit-ears "surprised" emphasis.  

     

    I'm not at all surprised.

  • Reply 7 of 23
    Quote:
    Originally Posted by jfc1138 View Post

     



    So how would you exploit this? Some elementary sample code would be appreciated.

     

    Seriously asking the question




    Basically you could spoof a time server and send a time update that was longer than the expected response or an argument outside of its expected range and then pass it another argument in the remainder of your string to make it do something else. 

     

    if you want to dig into kind of how it would work you can check out 

    http://www.exploit-db.com/exploits/20727/

  • Reply 8 of 23
    irnchrizirnchriz Posts: 1,616member
    This also affects other Unix and Linux operating systems not just Macs.
  • Reply 9 of 23
    moxommoxom Posts: 326member
    I was happy to see a notification on my Desktop stating the update had already been downloaded and Installed on my machine... :)
  • Reply 10 of 23
    droidftwdroidftw Posts: 1,009member
    How interesting. Daniel Eran Dilger's usually the first one to vociferously trumpet such vulnerabilities, especially when they pertain to Android, so I'm surprised he missed this one...
    DED may still be working on an article about it. He usually takes the time to explain why he thinks that vulnerabilities that affect Apple products are non-issues.
  • Reply 11 of 23
    asciiascii Posts: 5,936member
    Quote:

    Originally Posted by irnchriz View Post



    This also affects other Unix and Linux operating systems not just Macs.



    Yes, the Ubuntu 14.04 LTS update also popped up today.

  • Reply 12 of 23
    asciiascii Posts: 5,936member
    Quote:

    Originally Posted by DroidFTW View Post



    Everyone, all together now, "Thanks Google for making Apple's products more secure."



    Google actually finds a lot of security fixes for OS X if you read the security update release notes. And not just the generic unixy ones but OS X specific ones too, which is great.

  • Reply 13 of 23
    I just received a pop up stating security updates have been installed. No indication in app store or notifications? I am running 10.9.5
  • Reply 14 of 23
    haggarhaggar Posts: 1,568member



    If App Store preferences in Yosemite is set to "Install system data files and security updates", will this "security update" be automatically installed?

     

  • Reply 15 of 23
    droidftw wrote: »
    DED may still be working on an article about it. He usually takes the time to explain why he thinks that vulnerabilities that affect Apple products are non-issues.

    DED likes to delve into the history of topics so with a time service he'll likely be starting with the Babylonians.
  • Reply 16 of 23
    droidftwdroidftw Posts: 1,009member
    Quote:

    Originally Posted by SolipsismY View Post



    DED likes to delve into the history of topics so with a time service he'll likely be starting with the Babylonians.

     

    Only if he's already written an article about Babylonians so he can cite himself.  ;)

  • Reply 17 of 23
    droidftw wrote: »
    <div class="quote-container" data-huddler-embed="/t/184021/apple-releases-critical-security-update-for-os-x-ntp-services-vulnerability#post_2654192" data-huddler-embed-placeholder="false">Quote:<div class="quote-block">Originally Posted by <strong>SolipsismY</strong> <a href="/t/184021/apple-releases-critical-security-update-for-os-x-ntp-services-vulnerability#post_2654192"><img alt="View Post" src="/img/forum/go_quote.gif" /></a><br /><br />DED likes to delve into the history of topics so with a time service he'll likely be starting with the Babylonians.</div></div><p> </p><p>Only if he's already written an article about Babylonians so he can cite himself.  <img alt=";)" src="http://forums-files.appleinsider.com/images/smilies/1wink.gif" /></p>
    Only if he can also claim that Android is at fault
  • Reply 18 of 23
    crowleycrowley Posts: 10,453member
    Hammarubi's Code would have been better if it was written in Swift.
  • Reply 19 of 23
    MarvinMarvin Posts: 15,310moderator
    crowley wrote: »
    Hammarubi's Code would have been better if it was written in Swift.

    I wonder if Apple maintains their own branches of the underlying UNIX software or if they keep them synced with the open source community. Translating all these system tools over to Swift should prevent buffer overflow vulnerabilities but it would make it harder to keep software synced to the versions deployed to other UNIX systems. If Swift was open-sourced itself, perhaps Apple could encourage UNIX developers to migrate at least some tools to Swift so that they get cleaner, shorter, safer code for all platforms.
  • Reply 20 of 23
    jexusjexus Posts: 373member
    Quote:

    Originally Posted by Marvin View Post





    I wonder if Apple maintains their own branches of the underlying UNIX software or if they keep them synced with the open source community.

    A little of Both.

     

    Apple's OpenGL drivers are their own.

    When Apple used GCC, they mostly kept in synch just adding a few modules here and there(Until the whole GPLv3 Debacle).

    Apple's Samba inclusion for OSX Server I'm fairly positive was just a vanilla package(again until GPLv3 ruined everything)

     

    I imagine the code that Apple lifts from FreeBSD is also at least slightly modified for the OSX environment.

     

    I don't know how apple decides such, but they definitely go both ways.

Sign In or Register to comment.