Apple last night for the first time pushed an automated patch to Mac OS X users, taking care of critical Network Time Protocol (NTP) vulnerabilities.
The fix was delivered automatically and did not require Mac users to restart their machines.
The latest security issue in NTP, which is used by computers to synchronize clocks, was disclosed late last week. Researchers at Google who discovered the vulnerability also warned of public exploits, which no doubt prompted Apple’s response. Dozens of vendors, however, may be impacted.
NTP versions prior to 4.2.8 are affected by a number of buffer overflow vulnerabilities that would enable a hacker to remotely control the underlying computer. Other already patched vulnerabilities in NTP have been at the center of a number of distributed denial-of-service (DDOS) attacks.
The flaws disclosed recently in NTP are more worrisome and can be exploited with a single packet, an advisory from NTP.org said. The vulnerabilities not only affect endpoints and servers, but also industrial control systems; ICS-CERT issued a security advisory on Friday as well.
“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” ICS-CERT said in its advisory. “These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.”
An Apple spokesman told Reuters that Apple has had the ability to automatically push security updates for two years, but had not used it until Monday. The spokesman said he was not aware of any attacks against Mac OS X computers.
The ICS-CERT advisory lists a number of specific vulnerabilities discovered by Google, including the generation of random keys with insufficient entropy, the use of a cryptographically weak pseudo random number generated, stack-based buffer overflows, and a missing return in a section of code that indicates processing did not stop.