Just before Christmas, Apple pushed out a mandatory patch for its OS X operating system.
The patch was only a file of less than 1MB and installed without so much as a reboot. Those used to watching Microsoft Windows say “installing update 1 of 36….” on a seemingly constant basis may feel justified in asking, “what’s the big deal?” Well, it was a big deal because Apple had never felt the urgency to do it before.
Normal OS X Updates
Normal OS X updates are installed via Apple’s Software Update function, which in recent versions of OS X has been integrated with the Mac App Store.
Users are prompted to install updates when they are available, but can postpone them until they are ready. Although Apple often release security updates, they don’t do so with same frequency as Microsoft, which Apple fans are sure to believe is due to the inherent extra security in OS X…
The difference with the mandatory patch pushed out before Christmas is that it installed with no user intervention. Apple clearly felt that the vulnerability it had uncovered was sufficiently serious to force an update onto all affected OS X systems.
So what WAS the bug?
The NTP Vulnerability
Getting exact details of the flaw Apple found is difficult, and intentionally so. After all, if they were to explain the details of the vulnerability, cybercriminals would immediately seek to exploit it on unpatched systems.
What we know is that the vulnerability was in the operating system’s Network Time Protocol (NTP) implementation, and that it gave hackers the potential to exploit “buffer overflows” that could allow them to run “arbitrary code.”
NTP is usually used to synchronise computer time across networks – be they local networks, or the public Internet.
According to Apple’s security bulletin here, affected systems are those running OS X Mountain Lion, Yosemite and Mavericks. It’s for these systems that the patch has been produced and rolled out.
However, as Ars Technica has pointed out, Apple no longer provide security updates for older operating systems, such as OS X Lion and Snow Leopard – so it’s possible that these systems are affected too.
Time to Worry?
This isn’t the time to bring up the debate as to whether Macs are more secure than Windows PCs, or whether or not they require antivirus!
The fact that Apple responded quickly to this problem is a good thing, but, on the other hand, it does go to emphasise just how serious the vulnerability was if the company decided to take a step it never had before.
For now, it seems that no serious harm has been done beyond reputational pride.
However, the powers-that-be at Apple would no doubt like significant time to elapse before something like this happens again!