Apple deploys first-ever automatic patch to fix NTP flaw

Apple on Monday used an automatic security update mechanism for the first time to deploy a fix for a critical vulnerability in NTP, or Network Time Protocol, that was uncovered by a Google engineer.

The update for OS X Mountain Lion, Mavericks and Yosemite will be automatically downloaded to and installed on Macs whose owners have not changed a default setting in the operating system's preferences, Apple confirmed today.

"In light of a security threat to Unix-based systems including OS X, we've used an automatic security feature to update OS X systems and protect our users as quickly as possible," Apple spokesman Bill Evans said in an emailed statement. In that statement, Evans called the NTP bug a "critical" flaw. "The update is seamless -- it doesn't even require a restart," Evans added.

The vulnerability could allow attackers to execute malicious code on an at-risk Unix system -- OS X is based on a Unix variant -- according to the advisory issued alongside the Monday patch. Apple credited Google security engineer Stephen Roettger with originally reporting the bug to the Network Time Foundation, the organization that oversees the NTP open-source project.

NTP, which is almost 30 years old, is a standard for time synchronization of networked computers, including client and server systems, critical for such tasks as file and activity time stamping, and for security forensics investigations.

Windows uses a proprietary time synchronization service, but like other operating systems, it pings the same reference time-keeping servers, like those operated by the U.S. Naval Observatory or the National Institute of Standards and Technology (NIST), for ultra-accurate times.

More interesting -- if not more important -- than the patch itself was the way Apple rolled it out.

In 2012, with the debut of OS X Mountain Lion, Apple added an automatic update mechanism to its Software Updates service. The new tool was to install security updates without any prior user notification or authorization.

At the time, Computerworld characterized the change as Apple playing catch-up with Microsoft, which has long defaulted to automatically downloading and installing Windows updates for consumers.

Before Mountain Lion, 2009's OS X Leopard and 2011's Snow Leopard would download updates, then simply notify users when they were available. It was still necessary for users to manually authorize the updates' installation.

But until Monday, Apple had never used automatic updating even though the service had been available for more than two years.

Apple declined to explain why it chose to use the mechanism for this update: It has patched hundreds of similarly-critical vulnerabilities in the last two years. Apple's statement that it wanted to "protect our users as quickly as possible" hints it believed speed was of the essence; while Apple said it had seen no signs of active attacks against OS X, public exploits of the NTP vulnerability have appeared.

The downside of automatic updating may have also contributed to Apple's previous hesitation. Many users are leery of the practice because of potential problems that may surface only later. Some Windows customers, for example, have expressed frustration at a months-long string of botched updates from Microsoft, and have disabled auto updates so that they can apply them only after it's clear they won't break something or even cripple computers.

Only Macs running OS X Mountain Lion, Mavericks and Yosemite can be silently updated by Apple, and then only if the "Install system data files and security updates" box is checked in the App Store section of System Preferences. That setting is the default.

The lack of a similar patch for OS X Lion, which was used by about 7% of all Mac owners last month, is further proof that Apple has stopped supporting the 2010 operating system.

Mac owners who do not want updates automatically downloaded and installed can clear the box in the App Store preferences.