Skip to main content

Apple issues automatic fix for critical OS X vulnerability

Apple has made a critical security update available for OS X, and this is the company’s first automated update applied to Mac computers.

Reuters reports that the major flaw is in the Network Time Protocol (NTP) service in OS X, which provides the wherewithal for syncing up clocks on the Mac (note that the flaw also affects other Linux/Unix systems).

Not a great deal has been said about the bug by Apple, but it could allow a malicious party to gain remote control over a machine. Apparently this hasn’t actually happened, though, and Cupertino isn’t aware of any attacker having successfully leveraged this exploit.

You don’t have to worry about updating OS X, as in this case the patch is applied via Apple’s automatic security update system – the first time it has been used. Bill Evans, a spokesman for Apple, noted: "The update is seamless. It doesn’t even require a restart."

We say you shouldn’t worry, but security firm Tripwire has concerns about the auto update process.

Ken Westin, senior security analyst at Tripwire, told ITProPortal: “Apple’s proactive steps to automatically remediate this particular vulnerability shows the need to quickly patch remotely exploitable vulnerabilities. However, the use of Apple’s automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case the update may have been so minor the risk of affecting other applications and processes was minimal.”

He further notes: “If you have a Mac system where an automatic update might introduce a problem, or are the paranoid type, the functionality can be disabled by going to the Apple Menu > App Store and unchecking ‘Install system data files and security updates.’”