Your Mac might have been updated this week without you even knowing it.
Apple wanted to patch a security hole as quickly as possible before hackers took advantage of it. The security update was the first Apple has ever sent out without first requiring users’ permission to install.
The security hole affects Linux and Unix systems, including Mac OS X. A bug in the network time protocol (NTP) that keeps computer clocks in sync could have allowed hackers to gain control of a computer. The bug was uncovered last Friday by researchers at Carnegie Mellon University and the US Department of Homeland Security. The security bulletin announcing the bug said it could “allow attackers to overflow several buffers in a way that may allow malicious code to be executed.”
Apple says it’s not aware of any cases where the security hole was actually used by hackers to gain access to anyone’s computer. Presumably, the automatic update helped to quickly patch the vulnerability: relying on users to manually install a security patch would take longer, giving attackers more time to exploit the bug.
It’s worth mentioning that OS X has had a method for automatically applying security updates since 2012 – it’s just that Apple had never used that method until now. Seamless updates allow the company to quickly patch security vulnerabilities, although there’s a small risk that any update could cause problems for certain users, if it conflicts with other applications they’re using.
Mac users who don’t want to receive automatic updates can go to their System Preferences and, under the App Store section, uncheck the option labeled “Install system data files and security updates.” (You probably shouldn’t do this unless you know Apple’s security updates might make things buggy on your machine, or unless you’re really concerned about having manual control over security updates.)
This vulnerability was particularly severe, Mr. Evans told Reuters, which is why Apple chose not to patch it through its regular software update system. That system was used back in February to fix “Gotofail,” a bug on Macs and iOS devices that could have allowed an attacker to monitor user activity on a wireless network. The bug stemmed from an extra line in Apple’s source code, and hackers could have used it to nab e-mails or even banking information. Apple issued a patch for the bug, and enough people downloaded the update that Mr. Evens says no one’s communications were intercepted.