Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

OS X NTP Security Update (Yosemite, Mavericks, and Mountain Lion)

Apple has released OS X NTP Security Update for 10.10 Yosemite, 10.9 Mavericks, and 10.8 Mountain Lion to address a critical security issue with the software that provides the Network Time Protocol (NTP) service, which is used to keep a computer’s internal clock synchronized with an external server. The updates are available via Software Update or via Apple’s Support Downloads Web site, but for the first time ever, Apple pushed this security update to at least some Macs automatically. For those still using 10.6 Snow Leopard, there’s an independent installer. (All updates are free. For 10.10.1 Yosemite, 1.9 MB; for 10.9.5 Mavericks, 2.0 MB; for 10.8.5 Mountain Lion, 2.1 MB)

 

Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <https://www.backblaze.com/tb>
 

Comments about OS X NTP Security Update (Yosemite, Mavericks, and Mountain Lion)
(Comments are closed.)

bartonbob  2014-12-23 00:45
Does the NTP issue impact Snow Leopard? As a hedge, does turning off automatic date and time updates avoid the exploit?
Nicholas Barnard  2014-12-23 03:01
I'm not an expert on this, but you should be able to disconnect NTP and firewall off port 123.

https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

http://arstechnica.com/security/2014/12/attack-code-exploiting-critical-bugs-in-net-time-sync-puts-servers-at-risk/

I'd also guess that your standard NAT router would prevent a random drive by attack.

This all being said, I wouldn't be surprised if a replacement binary for the NTP daemon comes out for Snow Leopard and down, since this is an open source component.
Bring it on! (Please!!) I'd be very interested in applying a fix to my three Macs running 10.6.8 and one running 10.7. I don't have any plans to change the OS version, as it's a stable configuration that works well with some pricey applications.

It bugs me that Apple continues to throw its longtime, loyal users under the bus by excluding us from critical updates. I'll be watching for further info on this issue. Thanks, guys.
Nicholas Barnard  2014-12-24 19:05
Its not firmly within my grasp to compile the NTPd and send it on. Although you might be able suss the binary out of a stand alone upgrade if Apple offers one.

Apple has long been in the business of selling hardware not software. That being said they provide OS updates incredibly cheaply and they've managed to keep the newer OSes reasonably fast. (My 5.5 year old Macbook is still reasonably snappy on Mavericks. I have ticked reduce transparency on it though to keep it speedy. It also got an SSD a few years ago and a bit more memory.)

Its one of those eternal struggles, how much engineering resources do you devote to older operating systems, versus developing new features on new operating systems? I for one wouldn't like Apple to get stuck with the albatross that is Windows XP hanging around Microsoft's neck.
Compiling NTP from source goes as 1, 2, 3.
Get the x-code toolkit for the affected Mac OS here:
https://developer.apple.com   -> Downloads -> Additional Tools (registration with your Apple ID is required) and install it on your affected Mac with command line tools selected.
Download NTP V 4.2.8 here:
http://www.ntp.org/downloads.html

and uncompress it e.g. in your home directory.
In Terminal cd to the uncompressed NTP source folder.
Type in the next three commands hitting the enter key after each: ./configure -> make -> make install.
This should do so far.

Don
Roger D. Parish  An apple icon for a TidBITS Contributor 2014-12-30 09:19
I tried your instructions and failed on configure:

checking for install dir and man conventions... failed.

Configure: error: Problem with genLocInfo!

Yosemite 10.10.1, Xcode 6.1.1, and appropriate command line tools: commandlinetoolsosx10.10forxcode6.1.1.dmg
Nicholas Barnard  2014-12-30 12:52
If you're on Yosemite just install the NTP patch directly from Apple... Those instructions are mostly for older versions of OS X.
Adam Engst  An apple icon for a TidBITS Staffer 2015-01-04 11:17
Here's a link to an installer that will give you a patched version of NTP for Snow Leopard. Note that I haven't tested this, so be sure to have a backup before you install.

https://github.com/MacMiniVault/NTPUpdateSnowLeopard/releasess
xandra  2015-01-08 15:24
No mention of a patch for Lion!? feeling left out in the dark here.
Adam Engst  An apple icon for a TidBITS Staffer 2015-01-08 18:22
It's pretty unusual for people to have stopped at Lion, since Mountain Lion was largely just a better operating system. This article might provide the instructions you need.

http://www.macissues.com/2014/12/24/how-to-manually-patch-ntp-for-os-x-10-6-and-10-7/
xandra  2015-01-08 15:26
Whoops, forgot the important part. Would disabling "Set time zone automatically… " protect you from this.
Adam Engst  An apple icon for a TidBITS Staffer 2015-01-08 18:23
I don't know. You could try disabling that option and then looking in Activity Monitor for ntpd.