Apple Automatically Patches Macs to Fix Severe NTP Security Flaw
Most OS X security updates are issued alongside other fixes via the Software Update mechanism, and these require some kind of user interaction to install—you’ve either got to approve them manually or tell your Mac to install them automatically. Apple does have the ability to quietly and automatically patch systems if it needs to, however, and it has exercised that ability for the first time to patch a critical flaw in the Network Time Protocol (NTP) used to keep the system clock in sync.
This security hole became public knowledge late last week and affects all operating systems running versions of NTP4 prior to 4.2.8. When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system. If you allow your system to “install system data files and security updates” automatically (checked by default), you’ve probably already gotten the update and seen the notification above. If not, Mountain Lion, Mavericks, and Yosemite users should use Software Update to download and install the update as soon as possible. The flaw may exist in Lion, Snow Leopard, and older OS X versions, but they’re old enough that Apple isn’t providing security updates for them anymore.