Apple has issued a patch to address a Network Time Protocol (NTP) flaw in its OS X operating system.
According to an advisory issued by ICS-CERT on Friday, the flaw was first discovered by two Google Security Team researchers, Neel Mehta and Stephen Roettger, who recently identified four buffer overflow vulnerabilities as well as three other weaknesses in the protocol’s cryptographic implementation and error handling.
CVE-2014-9295, which accounts for the more serious flaws discovered, is dangerous in that it allows attackers to exploit remote code execution (RCE) vulnerabilities by sending specially crafted packets to a vulnerable version of the Network Time Protocol daemon (ntpd).
Attackers could potentially leverage this flaw with other privilege escalation vulnerabilities to gain root access to a system.
For this reason, Apple has made this patch its first-ever automatic security update for Macs.
“Apple’s proactive steps to automatically remediate this particular vulnerability demonstrates the need to quickly patch remotely exploitable vulnerabilities,” says Ken Westin, Sr. Technical Marketing Manager and Security Analyst at Tripwire. “However, the use of Apple’s automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case, the update may have been so minor that the risk of affecting other applications and processes was minimal.”
Westin therefore recommends that all users for whom an automatic update might introduce a problem immediately disable the functionality by going to the Apple Menu > App Store and unchecking “Install system data files and security updates.”
Macs are not the only systems affected by this vulnerability, however. Other Linux/Unix distributions are also vulnerable, including those that run industrial control systems. With regards to patching ICS systems, admins should back up any current configurations and test the patch before deploying it.
All other system administrators should implement the patch as soon as it becomes available.