Apple releases critical NTP Security Update for OS X Yosemite, Mavericks, & Mountain Lion

ImAMacGuy
Valued Contributor II

Apple releases critical NTP Security Update for OS X Yosemite, Mavericks, & Mountain Lion

Security UpdateApple today released an OS X NTP Security Update for Mac users running 10.10 Yosemite, 10.9 Mavericks, and 10.8 Mountain Lion. The update is recommended for all users and fixes a “critical security issue with the software that provides the Network Time Protocol service for OS X,” according to Apple. Check the Updates tab of the Mac App Store to grab the security update. More details regarding the security update for OS X should be able through this support document soon.

http://9to5mac.com/2014/12/22/ntp-security-update-os-x-yosemite-mavericks-mountain-lion/

27 REPLIES 27

andyinindy
Contributor II

Just in time for the holidays! Thanks, Apple!

CasperSally
Valued Contributor II

YMMV, but for anyone else who has clients 10.9.4 who can't easily update them to 10.9.5 - you can update a test machine to 10.9.5 and download the update in terminal running

sudo softwareupdate -d "OSX NTP Security Update-1.0"

Then the install downloads to /Library/Updates, and this .pkg installs for me on 10.9.4 machines without repackaging. To confirm it installs, in terminal run ```
what /usr/sbin/ntpd
```

After running, it should return ntp-88.1.1 for Mavericks.

cvangorp
New Contributor III

So now Apple has "pushed" this update to machines. http://www.reuters.com/article/2014/12/23/us-apple-cybersecurity-idUSKBN0K108W20141223
How does this work if we host our own SUS appliance and JAMF policies to force users to update? How does this affect IT Administrators? So far I haven't found any posts on how Apple is doing this push, so not sure if it will work in our environment.

endor-moon
Contributor II

What annoys me is the blithe assumption on Apple's part that we are all running Yosemite just because it is free. Perhaps it hasn't occurred to them that we can't update for various reasons, like the many bugs and incompatibilities it brings to our lives...

prodservices
New Contributor III

FWIW, I deployed the patch to a test machine (10.9.5) that had already been "pushed" by Apple, and saw no issues.

CasperSally
Valued Contributor II

It doesn't get pushed if you don't have "Install system data files and security updates" checked in app store prefs according to cnet.

http://www.cnet.com/uk/news/apple-updates-macs-without-asking-but-its-to-foil-hackers/

FYI I created an extension attribute that I'm sure could be more elegantly done, but seems to work for anyone interested

#!/bin/sh
NTPVersion=`what /usr/sbin/ntpd| awk 'END{print}' | tr -d "  PROGRAM:ntpd JECT-"`
echo "<result>$NTPVersion</result>"

rtrouton
Release Candidate Programs Tester

Based on the information I'm seeing, this update is being pushed using the same mechanism that Apple uses to automatically push XProtect updates.

external image link

I have a post on how you can force XProtect updates, which also talks about the delivery mechanism via Software Update:

http://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yose...

adamcodega
Valued Contributor

For the sake of trading Bash script methods, @CasperSally][/url][/url:

#!/bin/sh
NTPVersion=`what /usr/sbin/ntpd | tail -1 | cut -f2 -d"-"`
echo "<result>$NTPVersion</result>"

I was getting weird white space printing results at first.

CasperSally
Valued Contributor II

@adamcodega - much more elegant :)

adamcodega
Valued Contributor

Combined with this smart group, I believe:

external image link

mm2270
Legendary Contributor III

Or just

#!/bin/sh

echo "<result>$(what /usr/sbin/ntpd | awk -F- '{getline; print $NF}')</result>"

FWIW, my Mac is running 10.9.5, and I have the setting enabled in App Store preferences to install system data files and security updates, but my ntpd version is still at 88 so far. I'll need to keep an eye on it. I assume 10.9.5 should get the auto update, and not just Yosemite.

ImAMacGuy
Valued Contributor II

there's no single package for deployment across all os's is there?
I tried the one linked in the apple kb article, but it appeared to be only 10.10.x, and it errors out when I try on 10.9.x

Edit: nevermind, found it :)
http://support.apple.com/downloads/

adamcodega
Valued Contributor

Yep, there's a package for Mountain Lion, Mavericks, and Yosemite.

No word on whether Mountain Lion or Mavericks are installing themselves the way Yosemite did though.

CasperSally
Valued Contributor II

hmm bummer I missed those downloads on Apple's site when I looked earlier.

emily
Valued Contributor III
Valued Contributor III

@mm2270 if the Yosemite machines here are any indication, you'll see a little notification that says something like "a new security update has been installed" in the top corner where push notifications show up.

mm2270
Legendary Contributor III

@emilykausalik,
Yes, oddly enough, another test Mavericks Mac I have here got the update nearly immediately after I got it connected to the internet. And I saw the Notification Center message. It came down to my primary Mac as well, but I didn't see a Notification about it. I only know because I re-ran the command to pull the ntpd version and its now at 88.1.1. Strange, but at least its working.

adamcodega
Valued Contributor

@rtrouton confirmed on Mountain Lion that it appears in Software Update as "going to be installed soon"

andyinindy
Contributor II

adamcodega
Valued Contributor

For clarity, you can find all Apple security update information here:
http://support.apple.com/en-us/HT1222

Download updates manually if need be here:
http://support.apple.com/downloads/

andyinindy
Contributor II

@adamcodega, d'oh, didn't realize that Apple posted these as standalone downloads via their support site. My face is red.

adamcodega
Valued Contributor

No worries right? Great to bookmark because I always lose track of what is where.

mapurcel
Contributor III

@andyinindy I'm not having any luck installing the packages onto older patch levels, I'm seeing this:

Installation failed. The installer reported: installer: Cannot install on volume / because it is disabled.
installer: This update requires OS X version 10.9.5 or later.

adamcodega
Valued Contributor

Where you installing it onto 10.9.4?

mapurcel
Contributor III

Yes, I was installing it on both 10.9.3 and 10.9.4 with the packages downloaded from Apple.

scottb
Honored Contributor

FYI, if you have older OS X iterations to update, this page has the code, but no fancy Apple packages.

http://www.ntp.org/downloads.html

jhbush
Valued Contributor II

I ran ```
softwareupdate –background-critical
``` and that seemed to work on 10.9 and 10.10 boxes. The update is marked as critical in the installer .plist so it seems to make sense based on Rich's blog post.

rtrouton
Release Candidate Programs Tester

The folks in the ##osx-server IRC room put their heads together this afternoon to help figure this out. I've got a post on the findings available from the link below:

http://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/