Apple has released a security update to the Network Time Protocol (NTP) that keeps your Mac's clock synced to the coordinated universal time standard that regulates world clocks.

The open source NTP software was discovered to have security issues that could allow the time synchronization system to be used as a gateway to run malicious code on computer systems using the service.

The security hole was discovered by a Google team of security personnel who were reviewing the open source NTP system.

Google then advised the U.S. CERT (Cyber Emergency Response Team) of the security issue:

"Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.

These vulnerabilities could be exploited remotely.

Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol."

Apple responded to the CERT announcement with an update to the NTP system used in OS X by releasing this morning's security update.

The security issue is considered critical, and you should update right away. Updates are available from the Mac App Store.

Interestingly, some users are reporting that their Macs were updated automatically, with a notification message appearing in the morning hours on Tuesday (12/23/2014). Apple has had the ability to push security patches for quite a while, but has never used the capability, instead relying on users to check and voluntarily update their Macs via the Software Update service or the Mac App Store's Updates service.

It may well be an indication of how severe this NTP flaw is being regarded by Apple that it has chosen for the first time to use its automatic update service.

However, you should not wait for Apple to push the update to you. Since this is the first time the service is being used, there's no guarantee that you will receive the update right away, and indeed, my Mac hasn't been updated yet. After I publish this post, I'll be visiting the Mac App Store, selecting the Updates tab, and installing the security update from there.

You can also download and install the NTP update directly from the Apple web site:

OS X NTP Security Update: OS X Yosemite

OS X NTP Security Update: OS X Mavericks

OS X NTP Security Update: OS X Mountain Lion

Published: 12/23/2014