Thursday, December 25, 2014

Apple’s First Automatic Security Update

Apple has gone ahead with its first automatic security update for OS X to handle newly identified bugs which researchers have warned would enable hackers to control devices remotely. According to Apple spokesman, Bill Evans, the company has developed the software fix to deal with critical security issues which could affect Unix-based system including OS X and the issue was with the NTP – network time protocol, which is used to synchronize computer system clocks.

The bug was revealed to the public in security bulletins late last week, by the Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute. Dozens of technology companies which includes Apple and whose products could be vulnerable were identified by Carnegie Mellon.

Apple had earlier, released security patches through its regular software update system which usually needs the user’s approval and introduced the technology to deliver the automatic security updates couple of years back though it had not been used till date.

Reuters was informed by a company spokesperson that it had made a decision in using the technology in order to protect the customers at the earliest, due to the severity of the vulnerabilities and the `update is seamless’ and `does not even require a restart’.

Attackers Executing Arbitrary Code Utilising NTPD Process

The update surfaced to address an issue which was focused by the U.S. Government on December 19 and earlier discovered by the Google Security Team where the vulnerability has the capabilities of enabling an attacker to execute arbitrary code utilising the privileges of the NTPD process.

Apple had earlier faced vulnerabilities during the 2014 the most recent being on releasing an OS X bash update in September to fix the `Shellshock’ security flaw. Current day’s security update could be downloaded from the Mac App Store.

Neel Mehta and Stephen Roettger, Google Security Team researchers had coordinated various vulnerabilities with CERT/CC with regards to the NTP – Network Time Protocol and as NTP is used widely in operational Industrial Control Systems deployments, NCCIC/ICS-CERT has been providing the details for US Critical Infrastructure asset owners as well as operators bringing about an awareness as well as to identify mitigations for the affected devices. Updated release on additional information, when available would be provided by ICS-CERT.

Mac Users to Install Security Patch

Products utilising NTP service earlier to NTP-4.2.8 could be affected and no specific vendor is specified since this is an open source protocol.

 Mac users should pay heed to the advice from Apple and install the security patch and users running OS X Yosemite – 10.10, OS X Mavericks – 10.9 and OS X Mountain Lion – 10.8 would find the available updates in the Software Update mechanism of OS X, which is accessible from the Apple menu as well as by opting for `Software Update’, which is only 1.4MB and also installs in a quick manner.

 If one has automatic updates enabled for system software and security updates, the NTP would probably be installed already, though checking manually could be done. According to Apple spokesmen, Bill Evans, comments that Apple though, does not know of any cases, where vulnerable Mac computers were targeted by hackers looking to exploit the bugs.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.