I have a Macbook Pro running Yosemite 10.10.1. Have tried to follow steps to patch npt 4.2.8, but it gets a little too complex when it comes to installing the Xcode into Terminal. Has anyone been able to complete this process? Appreciate any help. Thanks.
MacBook Pro, OS X Yosemite (10.10.1)
Opps. Typo I tried to "follow steps to patch ntp 4.2.8..."
I take it you don't want the Apple installer? The Xcode instructions are not that hard. You just need to take time and read them carefully. If they are still to hard for you, then just forget this until someone releases an installer you can use. I'm sure that if there is a real concern Apple will release an update just as they did a few days ago.
Hi Kappy- Good lead. I will look into seeing if the Apple Installer can help me do upgrade. I would like an experienced Apple pro to help with fixing this issue. Really hope Apple ntp 4.2.8 Security Update comes tomorrow. But, I still wonder if any consultants have figured out how to help us who need upgrades to npt 4.2.8? .
Wait. Are you talking about the issue that Apple fixed with the auto patch last week?
Actually, they released a patch Xcode 6.1 patch that I have downloaded. That is where I am at now I have Xcode patch and have downloaded ntp 4.2.8, but am not comfortable running it all in my Terminal. However it isn't the auto update. The OS X NTP Security Update from December 22nd contains ntp 4.2.6. It had been developed to be the first forced security update, but ironically ntp security staff had released ntp 4.2.8 just days earlier on December 18th. So now we have to wait for Apple to catch up with another update to ntp 4.2.8 or install it ourselves.
This issue is so new, most Apple Developers I talk to won't touch it.
Apple doesn't follow the same versioning as open source projects, especially where security is concerned. The Apple version of ntp 4.2.6 has the security patch. There is no guarantee that ntp 4.2.8 will ever be included in OS X. But if there is a security risk, then what Apple ships will be patched.
Etresoft Thanks for your help.
Update-
So I spent most of the day yesterday getting online help to manually patch to ntp 4.2.8, and it didn't work. Then today I had a chat session with an Apple Support Supervisor and he assured me that the Security Update with ntp 4.2.6 has patches to make it secure. He does not recommend doing a manual patch to ntp 4.2.8.
I trust that Apple has the resources to keep us secure. The only problem is that my online security company has put me out of compliance with PCI because I don't have ntp 4.2.8. Not sure what to do. Every previous version of OS X have passed security scans. The problem started when I went to Yosemite OS X 10.10.1.
Will keep you informed.
mkbrown1433 wrote:
my online security company has put me out of compliance with PCI because I don't have ntp 4.2.8.
Why would anyone care what versions of software you have on your Mac? I got out of the roll-your-own-credit-card-merchant-account stuff when PCI came along. I really don't know what it requires. If you want to do that though, you need to play it smart. What kind of machine is PCI actually checking? Is this a server or something? Then give them what they want. That doesn't mean you have to use it. I guarantee that all of the massive hacks the past few years of millions of credit card companies were all perpetrated against companies with perfect PCI compliance. That is a regulatory requirement. To be regulated, you must meet that requirement. Don't let requirements dictate security. Instead, handle your security properly. Then, PCI is happy because you meet their automated tests, your customers are happy because their data is secure, and you are happy because you are using a Mac.
Apple rarely goes along with the crowd when it comes to providing security updates. I learned that many years ago with bzip2 when everybody else adopted version 1.0.2, Apple wrote their own patch.
The same applies today with the fix for SSLv3's "POODLE" vulnerability. If you check you will find that the test sites all believe that Safari is vulnerable to such an attack, but Apple has informed me personally that it's been fixed and I have not been able to find anybody who claims to be able to exploit such a flaw in a fully up-to-date OS X 10.8.5 and above.
Your online security company needs to contact Apple to be educated on how Apple Product Security does their job.
I suspect that if you were somehow able to install ntp 4.2.8, you could break a lot of things, perhaps even the fix that has been in place for almost a month now.
Thanks MadMacs0-
You have framed the problem most correctly. I am surprised this story hasn't gotten more attention in the media. I am in the process of confirming with my security company if all Apple users are having problems with PCI Compliance. If this is the case, Apple needs to offer an Apple authorized ntp 4.2.8 upgrade or work with PCI to convince them that their latest Security Update with patches to ntp 4.2.6 is secure for credit card use. Once I get confirmation on this I will start new topic "Are Any Apple Devices PCI Compliant in 2015?". Google it- there is no info out there on this topic.
Apple makes consumer devices, nothing for PCI compliance. I'm sure the attitude from PCI will be the same.
Hi Everyone-
Thanks so much for your help on this issue. Update- It turns out that my security company was scanning the wrong IP Address for me when they said that I needed ntp 4.2.8. When they ran scan on right network, it passed for PCI Compliance (even the ntp 4.2.6 with the latest Apple patch). I am not only relieved, but am glad that this isn't a widespread PC!/Security issue for other Apple Users. Thanks again.
mkbrown1433 wrote:
It turns out that my security company was scanning the wrong IP Address
My faith in the IT security industry is restored - as if it were ever in doubt. 🙂
When will Apple offer a Security Update with ntp 4.2.8? In the meantime, are there companies/Consultants that provide online help?
