Apple pushes its first ever silent, automatic security update to Mac OS X to fix NTP bug
Apple has pushed out its first ever automatic, silent security update to Mac OS X users, fixing a vulnerability in NTP that would’ve allowed hackers to turn Macs into DDoS zombies. In some ways, this finally brings Apple up to parity with Microsoft: Windows has technically had the ability to do automatic updates for a long time, though it’s very rare to see them performed while a system is in use — usually Windows waits for you to shut down to reboot before installing patches. Rather impressively, the OS X security patch should install transparently, with no need to restart.
Last week, some Googlers discovered some vulnerabilities in the Network Time Protocol (NTP), including a buffer overflow vulnerability that allows an attacker to execute malicious code on a remote system. Most Unix-like operating systems (Linux, BSD, OS X, etc.) use NTP to synchronize their clocks — an exact number of vulnerable systems isn’t known, but we’re almost certainly talking about millions of computers, including Macs running OS X 10.8, 10.9, and 10.10.
In any case, Apple thought this was a good opportunity to try out OS X’s automatic silent-patching mechanism. The feature has been present in OS X for at least a couple of years, but Apple says this is the first time it has ever been used. Whether this is indicative of Apple’s fairly slow-and-lazy approach to security, or just a dearth of vulnerabilities, I don’t know. Even though OS X is gaining in popularity, it still pales in comparison to Windows’ market penetration — so while Microsoft is constantly fighting to keep Windows secure, it’s relatively rare to see hackers or researchers target OS X, and thus we generally see very few security patches from Apple.
Read: Windows 10 vs. OS X Yosemite: The desktop still matters
According to Apple PR, the security update (which is rolling out right now), “is seamless. It doesn’t even require a restart.” Apparently, when it’s your turn to receive the update, it will download and install automatically — the first you’ll know about it is a confirmation box after the patch installs, telling you it was a success. If you don’t want to wait for the automatic update, it can be manually downloaded from the Updates tab of the Mac App Store.
OS X Yosemite vs. Windows 10
As far as I’m aware, Windows has had the ability to automatically and silently install updates for a long time (probably since Windows 2000 or Vista), but it’s very rare for Microsoft to actually use it. Microsoft/Windows prefers to download the updates automatically, and then install them at the next opportune moment — usually when you’re shutting down or restarting. Installing a security update while a system in use can be quite risky: If you’re in the middle of an important task, and suddenly the system update daemon starts stealing CPU cycles and grinding the hard drive, it can be rather annoying. Presumably Apple thought the NTP vulnerability was serious enough that it warranted silent installation.
Hopefully Apple didn’t automatically push the update to any OS X systems being used as servers or in an enterprise setting, though, or there might be some rather upset sysadmins tomorrow morning.
Now read: Is the core of Apple’s OS X rotting from within?
- Thanks for reading Apple pushes its first ever silent, automatic security update to Mac OS X to fix NTP bug