WZZZ

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-sev ere-ntp-security-flaw/

 

When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system.

What this means is that, if you allow date and time to be set automatically by outside servers, you risk having your computer taken over.

 

This is a critical issue, it's being exploited as we speak, and Apple has not provided the update to Snow Leopard users, only to 10.8/Mountain Lion and above. I strongly doubt Apple will ever get around to issuing an update for Snow Leopard, or they would have already. Chances of that happening are close to zero

Posted on Dec 23, 2014 4:37 PM

Close

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

  • All replies
  • Helpful answers

first Previous Page 9 of 12 last Next
  • by WZZZ,

    WZZZ WZZZ Jan 3, 2015 4:49 PM in response to xyzzy-xyzzy
    Level 6 (13,112 points)
    Mac OS X
    Jan 3, 2015 4:49 PM in response to xyzzy-xyzzy

    On the one hand you show me a log that has the mlockall error but no sntp -v error and then you say you are not getting the mlockall error.

    The log showing the mlockall error is from the virgin 4.2.4-p4, i.e., the clone that never had flatsixracer's on it (well, actually I'm still saving that virgin clone--I cloned that one to another Snow partition that had been updated in order to bring it back to a virgin 4.2.4-p4, which is where I did this test to see what the MI build looked like on a partition that never had the flatsix rev4 or any kind of ntp update).

     

    The log indicates to me that at that time you had the updated ntpd-wrapper (which fixes the sntp -v error)

    Remember, I have never seen the sntp -v error. Old mystery there.

    but did not have the updated ntp-restrict.conf which gets rid of the KOD and mlockall log messages.

    Yep, the MI build on the virgin clone doesn't get rid of those. But they do not show on the one that first had the rev4, then the MI.

     

    I cannot see you having a log which reports the KOD messages and not having the mlockall error.

    The MI build log I posted just above does show those. I think I may have misunderstood what you were getting at. Confusion caused by references to different logs from different builds?

     

    If you want to go back to the beginning you would need to make sure you have the original OSX ntp.conf, ntp-restrict.conf, and ntpd-wrapper.  Then you can use the normal explicit build as described by MI.  You should then see the -v message, KOD messages, and mlockall message in the log.

    That's exactly what I did, and which the logs posted above show, minus the -v message (to which for some unexplained reason I appear to be immune) on that virgin clone--that clone never touched by any form of ntp update.

     

    So if the "updated ntp-restrict.conf and ntpd-wrapper that MI doesn't address" are retained in the system, as you suggest, from flatsixracer's rev4 that explains why those messages are still not generated, even after I overwrite the rev4 update using the MI build.

     

    So next, maybe impossible to answer question, am I perhaps getting the best of both worlds by first installing the flatsix rev 4, which removes those messages, and then using the MI build, which uses binaries compiled by Xcode optimized for my CPU?  (Or by simply editing those files myself).

     

    ...There is a function name finish() in the ntpd.c source file.  

     

    And finally, to the second part of your reply. Since, according to what you wrote--if I haven't completely misunderstood that, which is entirely possible--your theory is that the coding error might originate from the current 4.2.8 version (that is, if "ntpd.c source file" is part of the 4.2.8). If so, should we all redo this entire thing when the one now in beta is in final release, as that might eliminate this error?

     

    Sorry if all this has just added to the confusion, but I hope not.

  • by xyzzy-xyzzy,Helpful

    xyzzy-xyzzy xyzzy-xyzzy Jan 3, 2015 6:39 PM in response to WZZZ
    Level 1 (10 points)
    Jan 3, 2015 6:39 PM in response to WZZZ

    WZZZ wrote:

     

    So if the "updated ntp-restrict.conf and ntpd-wrapper that MI doesn't address" are retained in the system, as you suggest, from flatsixracer's rev4 that explains why those messages are still not generated, even after I overwrite the rev4 update using the MI build.

     

    So next, maybe impossible to answer question, am I perhaps getting the best of both worlds by first installing the flatsix rev 4, which removes those messages, and then using the MI build, which uses binaries compiled by Xcode optimized for my CPU?  (Or by simply editing those files myself).

     

     

    Yes.  I said the only difference between building your own and using flatsixracer installer is essentially those additional two files.  Use his installer or install those two files yourself.  The latter seems easier to me.  Why use the installer just for those two files and then clobber all the rest with your own build?  And frankly if you are using a 64-bit intel machine I don't know are gaining anything by building it yourself over using the installer.  At the moment the only reason you might want to build it yourself is to build with the latest 4.2.8 betas.

     

    And finally, to the second part of your reply. Since, according to what you wrote--if I haven't completely misunderstood that, which is entirely possible--your theory is that the coding error might originate from the current 4.2.8 version (that is, if "ntpd.c source file" is part of the 4.2.8). If so, should we all redo this entire thing when the one now in beta is in final release, as that might eliminate this error?

     

    Sorry if all this has just added to the confusion, but I hope not.

     

    Personally I'd be inclined to always use the latest release, beta or not.  I don't know whether the bug will "go away" or not.  It's apparently very rare.

  • by MichelPM,

    MichelPM MichelPM Jan 3, 2015 8:29 PM in response to flatsixracer
    Level 6 (13,912 points)
    iPad
    Jan 3, 2015 8:29 PM in response to flatsixracer

    I wanted to let know that your files on Google worked for me, as well.

    Thank you sooo much for provided this for Snow Leopard users.

    Greatly appreciated!!!

     

  • by WZZZ,

    WZZZ WZZZ Jan 4, 2015 5:34 AM in response to xyzzy-xyzzy
    Level 6 (13,112 points)
    Mac OS X
    Jan 4, 2015 5:34 AM in response to xyzzy-xyzzy

    OK, I think I've finally understood where we are with all this. Many thanks for the excellent help you have provided.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 4, 2015 11:06 AM in response to WZZZ
    Level 1 (5 points)
    Jan 4, 2015 11:06 AM in response to WZZZ

    The Apple push of the NTP fix seems not to require a reboot; so I was wondering if

    http://www.macissues.com/2014/12/24/how-to-manually-patch-ntp-for-os-x-10-6-and- 10-7/

    really required a reboot

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 4, 2015 12:31 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 4, 2015 12:31 PM in response to Anwar Shiekh

    Anwar Shiekh wrote:

     

    The Apple push of the NTP fix seems not to require a reboot; so I was wondering if

    http://www.macissues.com/2014/12/24/how-to-manually-patch-ntp-for-os-x-10-6-and- 10-7/

    really required a reboot

     

    I think (now, only changed my thinking on this recently) it is probably sufficient to toggle ntpd off and on via Date&Time prefs (alternatively you can kill and restart the launch daemon via launchctl* from the terminal command line).  But is it really that inconvenient to reboot just to be 100% sure?

     

    * Here's the launchctl commands to turn ntpd off and back on:

    sudo launchctl unload /System/Library/LaunchDaemons/org.ntp.ntpd.plist

    sudo launchctl load /System/Library/LaunchDaemons/org.ntp.ntpd.plist

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 4, 2015 12:38 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 4, 2015 12:38 PM in response to xyzzy-xyzzy

    You are right, a reboot is not so inconvenient; but thanks for all the input.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 10, 2015 9:32 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 10, 2015 9:32 PM in response to Anwar Shiekh

    This is somewhat tangential to all that has been discussed in this thread, and it's been a few days since coming back here so I want to ask the following...

     

    It was requested in this thread to have the updated ntp build running on a (ppc?) G5 (if I recall).  What I want to verify is which version of Snow Leopard is being used?  Is it 10.6.7 or 10.6.8 (don't care if it's ppc or not)?  If it's 10.6.5 was the updated ntp stuff installed and running there ok? 

     

    I'm only asking this because out of curiosity I fired up my old 10.6.4 (Blue&White G3) machine just to see how ntp is installed there and discovered all the "machinery" to start and stop ntp is different than it is in 10.6.7.  This means that these 10.6 Snow Leopard builds we had been discussion couldn't and shouldn't be installed in 10.6.4 (probably no one cares by now anyhow).  Since I never had a 10.6.5 I was just wondering if the present ntp layout is compatible with that system.  Is there a /usr/libexec/ntpd-wrapper? Is there a /System/Library/LaunchDaemons/org.ntp.ntpd.plist?  If not then these current ntp builds are only valid for 10.6.7, 10.6.8, and if I believe MacIssues 10.7.? (which I also have never installed).

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 11, 2015 1:07 AM in response to xyzzy-xyzzy
    Level 1 (10 points)
    Jan 11, 2015 1:07 AM in response to xyzzy-xyzzy

    Never mind.  Turns out I did have a 10.6.5 laying around and the ntp setup is what's expected.  So private builds of current ntp are compatible with 10.6.5 to 10.6.8, and I suppose 10.7 (as I said above if I believe MacIssues on 10.7)

  • by 22Phiphi,

    22Phiphi 22Phiphi Jan 11, 2015 1:28 AM in response to xyzzy-xyzzy
    Level 1 (0 points)
    Jan 11, 2015 1:28 AM in response to xyzzy-xyzzy

    Hi.

     

    As I mentioned before and was left there, at the time I tried the patch, my ntpd would not ever start any more. though I have the latest SnowLeo, that is 10.6.8.

    I never noticed your modifications since then addressed whatever was likely to be relevant in my case.

    Since then I used MacIssues way, and I didn't checked any logs, but whatever I expect to work, works fine.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 11, 2015 7:44 AM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 11, 2015 7:44 AM in response to xyzzy-xyzzy

    In the end I compiled the NTP code for the PPC on a 10.5.8 machine and made universal binaries using the Intel parts of flatsixracer and put it all in an installer package

    http://www.cubeowner.com/forums/index.php?showtopic=14866

    everything seems to be working on a PPC Mac, but I haven't tried it on an Intel Mac

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 11, 2015 5:11 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 11, 2015 5:11 PM in response to Anwar Shiekh

    Sorry for my earlier confusion.  My old B&W G3 is running Tiger (specifically 10.4.11).  I was thinking of that when I posted above.  Instead I typed 10.6.4 and compounded my confusion by saying I found a 10.6.5, not a 10.5 which I really don't have.  My intent was to ask about 10.5 (not 10.6.5) so thanks for giving me the info I wanted to know. Thus the ntp installation, including ntp_wrapper and ntp_restrict.conf can be considered valid for Leopard (10.5), Snow Leopard (10.6), and Lion (10.7).  Nothing earlier and we can ignore anything later..  And Intel vs. ppc isn't pertinent to what I wanted to know.

     

    Again, thanks.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 11, 2015 5:20 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 11, 2015 5:20 PM in response to xyzzy-xyzzy

    For all I know the 10.5 PPC binaries might work for 10.4; I felt that Intel vs PPC was pertinent because 10.5 is universal, so it might be nice to keep it that way.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 11, 2015 6:55 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 11, 2015 6:55 PM in response to Anwar Shiekh

    As I mentioned earlier the way ntp works differently in 10.4,  For example ntp-wrapper and the launch daemon do not exist there (well at least I didn't find them).  And it's not clear where the equivalent to ntp-restrict.conf is either.  That why I wanted to know if these exist in 10.5.  But since you installed some of this stuff in your 10.5 you wouldn't be able to tell unless you have an unupdated (no new ntp installed)  to compare against.  Given you said ntpd seems to be working there I have to assume the various components we see today on current OS X''s started with 10.5.

     

    But the way it stands now I do not expect it to fully work in 10.4 because I don't see those components.  Yes, you could replace ntpd code file there.  That might work assuming 10.4's options to ntpd are the same now as what was there then.  We already know sntp doesn't accept the "old" sntp -v option used by 10.6.  But we (I) don't know if sntp is even used in 10.4 since it apparently is not as easy to see how all the pieces fit together there.  For example it is not obvious (to me) how ntpd even gets initiated in 10.4?  It's not straight-forward like we have now (i.e., launch daemon invokes ntpd-wrapper which in turn invokes ntpd telling it to use ntp-restrict.conf).

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 11, 2015 7:31 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 11, 2015 7:31 PM in response to xyzzy-xyzzy

    If you ever find out what 10.5 doesn't need of

     

         /usr/bin/ntp-keygen

         /usr/bin/ntpq

         /usr/bin/sntp

         /usr/sbin/ntpd

         /usr/sbin/ntpdate

         /usr/sbin/ntpdc

         /usr/sbin/ntptrace

         /usr/libexec/ntpd-wrapper

         /System/Library/LaunchDaemons/org.ntp.ntpd.plist

     

    I can modify the installer accordingly

first Previous Page 9 of 12 last Next