The U.S. government released a “critical security issue” advisory regarding the Network Time Protocol (NTP) service on 12/23/14, a treat originally discovered by the Google Security Team on 12/19/14. This vulnerability affects many Unix based operating systems that utilize the open source NTP service, including Mac OS X. https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
The day after the government’s advisory came out, Apple released OS X NTP Security Updates for OS X 10.8, 10.9, and 10.10. http://support.apple.com/en-us/HT1222
I have pushed these NTP Security Updates via Kaseya to all OS X 10.8-10.9 Macs workstations under ACC at Chicago clients.
Macs running OS X 10.8 or later, that have the option for “Install data files and security updates” checked in the App Store system preference pane, will automatically get the OS X NTP Security Update installed without any user prompt or confirmation. This update is also available by doing a Software Update on Macs running OS X 10.8 or later that don’t have that option checked.
Apple will not be releasing OS X NTP Security Updates for OS X 10.7 and older. Unfortunately patching these older operating systems isn’t straight forward, and requires using Xcode to compile your own installer, or downloading a use-at-your-own-risk homebrew installer that someone else compiled for their system.
I have developed and deployed a custom Kaseya script that mitigates the NTP vulnerability on Macs (both Intel and PowerPC) running OS X 10.4-10.7 in the Chicago All Covered market, by editing the ntp-restrict.conf file. This change “effectively protects” unpatched systems according to the Google Security Team. http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
To manually mitigate the NTP vulnerability using this method, open /etc/ntp-restrict.conf in TextWrangler, unlock, add ” noquery” to the end of both the restrict lines under the localhost section, then save. See the above Google Security Team’s report for more information.