Apple pushes out its first-ever automated security update
Apple automatically updated Macs this week to patch a security hole in OS X. It's the first time Apple has ever automatically applied a security update, though it's had the ability to do so for two years.
Apple automatically updated Macs this week to patch a security hole in OS X. It's the first time Apple has ever automatically applied a security update, though it's had the ability to do so for two years.
Your Mac might have been updated this week without you even knowing it.
Apple wanted to patch a security hole as quickly as possible before hackers took advantage of it. The security update was the first Apple has ever sent out without first requiring users鈥 permission to install.
Apple spokesman Bill Evans told Reuters the update was 鈥渟eamless鈥 and that users didn鈥檛 even need to restart their computers.
The security hole affects Linux and Unix systems, including Mac OS X. A bug in the network time protocol (NTP) that keeps computer clocks in sync could have allowed hackers to gain control of a computer. The bug was uncovered last Friday by researchers at Carnegie Mellon University and the US Department of Homeland Security. The security bulletin announcing the bug said it could 鈥渁llow attackers to overflow several buffers in a way that may allow malicious code to be executed.鈥
Apple says it鈥檚 not aware of any cases where the security hole was actually used by hackers to gain access to anyone鈥檚 computer. Presumably, the automatic update helped to quickly patch the vulnerability: relying on users to manually install a security patch would take longer, giving attackers more time to exploit the bug.
It鈥檚 worth mentioning that OS X has had a method for automatically applying security updates since 2012 鈥 it鈥檚 just that Apple had never used that method until now. Seamless updates allow the company to quickly patch security vulnerabilities, although there鈥檚 a small risk that any update could cause problems for certain users, if it conflicts with other applications they鈥檙e using.
Mac users who don鈥檛 want to receive automatic updates can go to their System Preferences and, under the App Store section, uncheck the option labeled 鈥淚nstall system data files and security updates.鈥 (You probably shouldn鈥檛 do this unless you know Apple鈥檚 security updates might make things buggy on your machine, or unless you鈥檙e really concerned about having manual control over security updates.)
This vulnerability was particularly severe, Mr. Evans told Reuters, which is why Apple chose not to patch it through its regular software update system. That system was used back in February to fix 鈥淕otofail,鈥 a bug on Macs and iOS devices that could have allowed an attacker to monitor user activity on a wireless network. The bug stemmed from an extra line in Apple鈥檚 source code, and hackers could have used it to nab e-mails or even banking information. Apple issued a patch for the bug, and enough people downloaded the update that Mr. Evens says no one鈥檚 communications were intercepted.