Acting on information provided by the Google Security Team, Apple has released a security update for the OS X ntpd (Network Time Protocol daemon).
The update addresses "several issues" that allowed attackers to trigger buffer overflows in order to execute buffer overflows.
OS X NTP Security Update applies to Yosemite, Mavericks and Mountain Lion, and can be installed via the Mac App Store.
|
According to CERT, the vulnerabilities are found in "ntpd version 4.2.7 and previous versions" so it would seem wise to assume all versions of OS X are affected.
At this stage it is not known what measures should be taken by users of Lion and earlier versions. Deactivating the "Set date and time automatically" option in the Date & Time preference appears to stop ntpd, but there may be situations where not having an accurately-set clock causes problems.
It is possible that someone will release a build of ntp.org's ntpd 4.2.8 that can be easily installed - but how will you know whether you can trust their work?