Friday, December 26, 2014

On security: news without validation - The case of ntpd for MAC OSX

It is a shame that even Hacker News reported as many many others inaccurate information about the recent several NTP vulnerabilties affecting the ntpd daemon in *NIX systems.

Apple computers are not patched automatically if the users do not select to do so, a feature that was added with Yosemite so most likely not even available in many MACs in use out there.

Sysadmins should be encouraged to reach out their user base so the MACs are patched. As a difference with Ubuntu and other linux distros where most likely ntpdate is being used to synchronize time in MACs the ntpd daemon is used. Yes, this is not just a server issue when it comes to MAC OS-X.

BTW back to ntpd vulnerabilities. Follow apple instructions for correct remediation. As explained there 'what /usr/sbin/ntpd' should be run to check the proprietary OSX ntpd version.

What is interesting here is that 'ntpd --version' still returns 4.2.6 after the patch which according to the official ntpd distribution communication does not contain the patch. Version 4.2.8 does.

No comments: