The U.S. government released a “critical security issue” advisory regarding the Network Time Protocol (NTP) service on 12/23/14, a treat originally discovered by the Google Security Team on 12/19/14. This vulnerability affects many Unix based operating systems that utilize the open source NTP service, including Mac OS X.

The day after the government’s advisory came out, Apple released OS X NTP Security Updates for OS X 10.8, 10.9, and 10.10.
I have pushed these NTP Security Updates via Kaseya to all OS X 10.8-10.9 Macs workstations under ACC at Chicago clients.

Macs running OS X 10.8 or later, that have the option for “Install data files and security updates” checked in the App Store system preference pane, will automatically get the OS X NTP Security Update installed without any user prompt or confirmation. This update is also available by doing a Software Update on Macs running OS X 10.8 or later that don’t have that option checked.

Apple will not be releasing OS X NTP Security Updates for OS X 10.7 and older. Unfortunately patching these older operating systems isn’t straight forward, and requires using Xcode to compile your own installer, or downloading a use-at-your-own-risk homebrew installer that someone else compiled for their system.

I have developed and deployed a custom Kaseya script that mitigates the NTP vulnerability on Macs (both Intel and PowerPC) running OS X 10.4-10.7 in the Chicago All Covered market, by editing the ntp-restrict.conf file. This change “effectively protects” unpatched systems according to the Google Security Team.

To manually mitigate the NTP vulnerability using this method, open /etc/ntp-restrict.conf in TextWrangler, unlock, add ” noquery” to the end of both the restrict lines under the localhost section, then save. See the above Google Security Team’s report for more information.