Snow Leopard users: Turn off automatic date and time in System Preferences immediately

Question

Level 6

13,220 points

Snow Leopard users: Turn off automatic date and time in System Preferences immediately

http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-sev ere-ntp-security-flaw/

When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system.

What this means is that, if you allow date and time to be set automatically by outside servers, you risk having your computer taken over.

This is a critical issue, it's being exploited as we speak, and Apple has not provided the update to Snow Leopard users, only to 10.8/Mountain Lion and above. I strongly doubt Apple will ever get around to issuing an update for Snow Leopard, or they would have already. Chances of that happening are close to zero

Posted on Dec 23, 2014 4:34 PM

Reply

Answer 1

Dec 23, 2014 4:53 PM in response to WZZZ

Apple security updates - Apple Support

Older OS's maybe shouldn't be using the Internet.

Reply

Answer 2

Loner T

Level 9

59,471 points

Dec 23, 2014 5:12 PM in response to QuickTimeKirk

QuickTimeKirk wrote:

Apple security updates - Apple Support

Older OS's maybe shouldn't be using the Internet.

There is a workaround as mentioned - http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putda ta

Mitigation - any of:

Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
Put
restrict ... noquery
in your
ntp.conf
file, for non-trusted senders.

The other option is to build ntp on older systems that Apple may not patch.

Reply

Answer 3

WZZZ Author

Level 6

13,220 points

Dec 24, 2014 4:49 AM in response to Loner T

The upgrade to 4.2.8 is not quite so simple. You don't just download and install. It's not ready for that: the 4.2.8 needs to be compiled before it can be installed. One way is to use MacPorts + Xcode. As I understand it--and I I haven't done it for my Snow volume (I'm mainly on 10.8)--it's a fairly complicated business. Not for the faint of heart.

Reply

Answer 4

Loner T

Level 9

59,471 points

Dec 24, 2014 6:40 AM in response to WZZZ

MacPorts has NTP 4.2.8 - https://trac.macports.org/browser/trunk/dports/sysutils/ntp/Portfile

Reply

Answer 5

Dec 24, 2014 6:42 AM in response to QuickTimeKirk

I have recently installed Yosemite on an external Hard Drive. I can startup up my iMac (running Snow Leopard) by doing a Restart and holding down the Option key while restarting and then selecting the Yosemite disc.

Once I've done that, can I connect to the internet using the Yosemite disc without worrying about Security issues on my iMac?

Reply

Answer 6

Loner T

Level 9

59,471 points

Dec 24, 2014 7:43 AM in response to caroldurga

Yosemite should have silently installed the patch recently. Please check the current version using

what /usr/sbin/ntpd

/usr/sbin/ntpd

PROGRAM:ntpd PROJECT:ntp-92.5.1

About OS X NTP Security Update - Apple Support

Reply

Answer 7

Dec 24, 2014 9:09 AM in response to Loner T

Could you clarify your answer for me? I'm a newbie here. Do you mean that Yosemite silently installed the patch for Snow Leopard?

I have Yosemite installed on an external Hard drive connected to my iMac running Snow Leopard. Does that mean I can run Snow Leopard on my iMac now without worrying about Security Updates? Should I turn Automatic Date and Time in Snow Leopard's system prefs back on?

I have no idea what NTP means or refers to.

Reply

Answer 8

Dec 24, 2014 9:13 AM in response to Loner T

I followed the link in the above discussion

About OS X NTP Security Update - Apple Support

and found this

OS X NTP Security Update

ntpdAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1Impact: A remote attacker may be able to execute arbitrary codeDescription: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:
- Mountain Lion: ntp-77.1.1
- Mavericks: ntp-88.1.1
- Yosemite: ntp-92.5.1
Does this imply that Snow Leopard does not have that Security update?

Reply

Answer 9

Dec 24, 2014 9:21 AM in response to caroldurga

Yep.

And Lion, too.

Reply

Answer 10

WZZZ Author

Level 6

13,220 points

Dec 24, 2014 9:27 AM in response to caroldurga

There is no update for Snow. If you were booted to Yos, and if you stayed there long enough, the update would have installed. To check if it installed, visit Software Update while booted to Yos. If it's still showing as available, just run it directly from there. But it the update there will do nothing to patch the vulnerability in Snow.

Reply

Answer 11

WZZZ Author

Level 6

13,220 points

Dec 24, 2014 10:05 AM in response to Loner T

Loner T wrote:

MacPorts has NTP 4.2.8 - https://trac.macports.org/browser/trunk/dports/sysutils/ntp/Portfile

What do you do to install it? Seeing this:

http://www.hmug.org/portstory.php?5693

Reply

Answer 12

Dec 24, 2014 12:12 PM in response to WZZZ

To me 10.6.8 is still the best OS X Apple ever released and I patched my system just like the shellshock back in September. It's really easy if you have some basic shell skills and XCODE installed,

Here is what I did, it may save you some time:

open the terminal app

1) Download the source code, apply the patch (I got the source code links from the ntp site)

cd ~

mkdir ntpd-fix

cd ntpd-fix

curl http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8.tar.gz | tar zxf -

2) Patch and compile the ntp source code

cd ntp-4.2.8/ntpd

curl http://bugs.ntp.org/attachment.cgi?id=1165 | patch -p1

cd ..

./configure && make

3) Open the system preferences - Date & Time - uncheck Set date and time automatically (to stop the process)

4) Rename the old object and then replace/copy them with the new objects

cd /usr/bin

sudo mv sntp sntp.old

sudo mv ntpq ntpq.old

sudo mv ntp-keygen ntp-keygen.old

cd /usr/sbin

sudo mv ntpdc ntpdc.old

sudo mv ntpdate ntpdate.old

sudo mv ntpd ntpd.old

cd ~/ntpd-fix/ntp-4.2.8

sudo cp sntp/sntp /usr/bin

sudo cp util/ntp-keygen /usr/bin

sudo cp ntpq/ntpq /usr/bin

sudo cp ntpdc/ntpdc /usr/sbin

sudo cp ntpdate/ntpdate /usr/sbin

sudo cp ntpd/ntpd /usr/sbin

sudo chown root:wheel /usr/bin/sntp

sudo chown root:wheel /usr/bin/ntp-keygen

sudo chown root:wheel /usr/bin/ntpq

sudo chown root:wheel /usr/sbin/ntpdc

sudo chown root:wheel /usr/sbin/ntpdate

sudo chown root:wheel /usr/sbin/ntpd

5) Open the system preferences - Date & Time - uncheck Set date and time automatically (to start the process)

6) Done.

-- update time manually

sudo ntpdate -u time.apple.com

-- check ntpd version (should now be: ntpd 4.2.8@1.3265-o)

sudo ntpd --version

Reply

Answer 13

WZZZ Author

Level 6

13,220 points

Dec 24, 2014 2:54 PM in response to flatsixracer

Just ran all that successfully. Very cool and many thanks for that. Maybe someone can write a script for all of it, which would be a bit time saving, but very happy to have it as is.

Reply