For the first time ever, Apple has pushed out an automatic OS X update to repair a security flaw the company says was too serious too wait for users to patch themselves.
The silent security update to Mac OS X users, fixes a vulnerability in NTP that would’ve allowed hackers to turn Macs into little DDoS zombie minions. In a way, this finally brings Apple up to parity with Microsoft: Windows has technically had the ability to do automatic updates for a long time, though it’s very rare to see them performed while a system is in use. Rather impressively, the OS X security patch should install transparently, with no need to restart.
A couple of weeks ago, some Techies discovered some vulnerabilities in the Network Time Protocol (NTP), including a buffer overflow vulnerability that allows an attacker to execute malicious code on a remote system. Most Unix-like operating systems like Linux, BSD, OS X, and more use NTP to synchronize their clocks — an exact number of vulnerable systems isn’t known, but we’re almost certainly talking about millions of computers, including Macs running OS X 10.8, 10.9, and 10.10.
In any case, Apple thought this was a good opportunity to try out OS X’s automatic silent-patching mechanism. The feature has been present in OS X for at least a couple of years, but Apple says this is the first time it has ever been used. Whether this is indicative of Apple’s fairly slow-and-lazy approach to security, or just a dearth of vulnerabilities, I don’t know. Even though OS X is gaining in popularity, it still pales in comparison to Windows’ market penetration — so while Microsoft is constantly fighting to keep Windows secure, it’s relatively rare to see hackers or researchers target OS X, and thus we generally see very few security patches from Apple.
According to Apple PR, the security update “is seamless. It doesn’t even require a restart.” Apparently, when it’s your turn to receive the update, it will download and install automatically — the first you’ll know about it is a confirmation box after the patch installs, telling you it was a success. If you don’t want to wait for the automatic update, it can be manually downloaded from the Updates tab of the Mac App Store.
OS X Yosemite vs. Windows 10
Windows has had the ability to automatically and silently install updates for a long time, but it’s very rare for Microsoft to actually use it. Microsoft/Windows prefers to download the updates automatically, and then install them at the next opportune moment — usually when you’re shutting down or restarting. Installing a security update while a system in use can be quite risky: If you’re in the middle of an important task, and suddenly the system update daemon starts stealing CPU cycles and grinding the hard drive, it can be rather annoying. Presumably Apple thought the NTP vulnerability was serious enough that it warranted silent installation.
Hopefully Apple didn’t automatically push the update to any OS X systems being used as servers or in an enterprise setting, though, or there might be some rather upset sysadmins.