AppleInsider Staff
Apple on Monday pushed out an update addressing a "critical security issue" for OS X concerning a vulnerability discovered in the Network Time Protocol service, affecting Mac users running OS X Yosemite, Mavericks and Mountain Lion.
According to Apple's Support website, the update targets a number of issues with OS X Network Time Protocol daemon (ntpd) software that allows remote attackers to trigger buffer overflows, which can be leveraged to execute arbitrary code on a target Mac. The Google Security Team made the discovery earlier this month.
Users can verify their ntpd version by opening Terminal and typing what /usr/sbin/ntpd. With the update installed, users should see the following versions:
Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1
Users can find the update via Software Update or already downloaded if the "Install system data files and security updates" option is checked in the App Store menu of System Preferences.
Charles Martin
Oliver Haslam
William Gallagher
Christine McKee
Sponsored Content
Malcolm Owen
Andrew Orr
23 Comments
"...buffer overflows, which can be leveraged to execute arbitrary code on a target Mac..." [COLOR=blue]This is such an elementary way to break into a system, how could anyone, especially Apple, let it happen in this day and age??[/COLOR] I don't mean this as an indictment of Apple, I'm seriously asking the question.
I wonder if this means alarms clocks will work this year?
/s
"...buffer overflows, which can be leveraged to execute arbitrary code on a target Mac..."
This is such an elementary way to break into a system, how could anyone, especially Apple, let it happen in this day and age??
I don't mean this as an indictment of Apple, I'm seriously asking the question.
So how would you exploit this? Some elementary sample code would be appreciated.
Seriously asking the question
Everyone, all together now, "Thanks Google for making Apple's products more secure."
How interesting. Daniel Eran Dilger's usually the first one to vociferously trumpet such vulnerabilities, especially when they pertain to Android, so I'm surprised he missed this one...