Apple pushes out its first-ever automated security update

Apple automatically updated Macs this week to patch a security hole in OS X. It's the first time Apple has ever automatically applied a security update, though it's had the ability to do so for two years.

James Lawler Duggan/Reuters
Apple pushed its first-ever automatic security update for OS X this week. Here, shoppers walk outside an Apple store in Washington, D.C.

Your Mac might have been updated this week without you even knowing it.

Apple wanted to patch a security hole as quickly as possible before hackers took advantage of it. The security update was the first Apple has ever sent out without first requiring users’ permission to install.

Apple spokesman Bill Evans told Reuters the update was “seamless” and that users didn’t even need to restart their computers.

The security hole affects Linux and Unix systems, including Mac OS X. A bug in the network time protocol (NTP) that keeps computer clocks in sync could have allowed hackers to gain control of a computer. The bug was uncovered last Friday by researchers at Carnegie Mellon University and the US Department of Homeland Security. The security bulletin announcing the bug said it could “allow attackers to overflow several buffers in a way that may allow malicious code to be executed.”

Apple says it’s not aware of any cases where the security hole was actually used by hackers to gain access to anyone’s computer. Presumably, the automatic update helped to quickly patch the vulnerability: relying on users to manually install a security patch would take longer, giving attackers more time to exploit the bug.

It’s worth mentioning that OS X has had a method for automatically applying security updates since 2012 – it’s just that Apple had never used that method until now. Seamless updates allow the company to quickly patch security vulnerabilities, although there’s a small risk that any update could cause problems for certain users, if it conflicts with other applications they’re using.

Mac users who don’t want to receive automatic updates can go to their System Preferences and, under the App Store section, uncheck the option labeled “Install system data files and security updates.” (You probably shouldn’t do this unless you know Apple’s security updates might make things buggy on your machine, or unless you’re really concerned about having manual control over security updates.)

This vulnerability was particularly severe, Mr. Evans told Reuters, which is why Apple chose not to patch it through its regular software update system. That system was used back in February to fix “Gotofail,” a bug on Macs and iOS devices that could have allowed an attacker to monitor user activity on a wireless network. The bug stemmed from an extra line in Apple’s source code, and hackers could have used it to nab e-mails or even banking information. Apple issued a patch for the bug, and enough people downloaded the update that Mr. Evens says no one’s communications were intercepted.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.