It’s not a huge patch, but it could make a difference.
Per Mac|Life, Apple released a small Network Time Protocol security patch on Friday. The patch, a 1.4 megabyte download, addresses what the company terms as a new “critical security issue”.
Fascinatingly enough, the vulnerability itself was discovered by the Google Security Team back on December 19, and the U.S. Government alerted users of it only a couple of days later. The dangers of the vulnerability are a little complex and the government’s ICS-CERT site is a little vague about what it is and what it does:
“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP),” ICS-CER’s site says. “As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices.”
The big danger here is that “Exploits that target these vulnerabilities are publicly available,” and malicious-minded folks can exploit those vulnerabilities remotely. You can download the patch right now by selecting Software Update from the Apple menu or by going directly to the updates section of the Mac App Store; it should be listed as the latest Security Update.
The update requires OS X 10.8 or later to install and run.
If you’ve tried the update and have any feedback to offer, let us know in the comments.