Apple have just released a new security update that addresses a “critical security issue” concerning the Network Time Protocol service on OS X. It is recommended that all users of Yosemite, Mavericks, and Mountain Lion install the update immediately.
Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
Products using NTP service prior to NTP–4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
The security update can be downloaded from the Mac App Store.