Credit: Krivosheev Vitaly/Shutterstock
Yesterday (Dec. 22), Apple pushed its first mandatory update for OS X: a patch for a serious bug in the Internet-standard Network Time Protocol. Attackers could exploit the flaw to remotely run code on someone else's computer or server, effectively seizing control.
Until now, Mac owners have always had to agree to each update before it was installed. Yesterday was the first instance in which Apple used its ability to send out mandatory software updates. This particular patch doesn't require a computer restart.
Network Time Protocol (NTP), first defined in 1985, is a protocol for syncing time on networked machines all across the world. It's used in most computers and servers, not only in Apple's OS X systems.
The flaw in question, officially designated CVE-2014-9295, has to do with a buffer-overflow issue. An attacker could send a specially crafted malicious packet to a computer with a vulnerable version of NTP, and that packet would be able to run its malicious code with the same privileges as a legitimate NTP packet.
Exploits for this newly discovered NTP flaw do exist, but Apple says it has not detected any instances of people exploiting the flaws on an OS X system.
Nevertheless, after the flaw was disclosed by Google researchers last week, Apple decided to push out the security update for OS X Mountain Lion, Mavericks and Yosemite in such a way that users wouldn't have to manually approve it for it to download. Apple gave itself the ability to push out mandatory updates two years ago.
If you really don't like the idea of Apple pushing automatic updates to your computer, you can disable the feature by going to the Apple Menu, then System Preferences, then the App Store. Uncheck "Install system data files and security updates."
- How to Protect Yourself from Data Breaches
- 12 Security Mistakes You're Probably Making
- Best Antivirus Software
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.
Should Apple be pushing out mandatory software updates? Let us know what you think in the comments.