Apple has issued a fix for a “critical security issue” in OS X following the discovery of a vulnerability in the Network Time Protocol which affects the Yosemite, Mavericks and Mountain Lion operating systems.
The bug, revealed earlier this month, could allow hackers to execute arbitrary code on systems not updated with the fix, and trigger buffer overflows while using OS X Network Time Protocol daemon (NTPD) privileges.
The exploit, named CVE-2014-9295, was uncovered by Stephen Roettger of the Google Security Team earlier this month, but Apple didn’t issue a fix straight away because the firm likes to be sure that the flaw is authentic.
“For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” said Apple on its support page.
The update is available now for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1.
Users can find the update via Software Update. It will have already downloaded if the ‘Install system data files and security updates’ option is checked in the App Store menu of System Preferences.
Those who want to verify their NTPD version can do so by opening Terminal and typing what /usr/sbin/ntpd. If the the update is already installed, users should see the following versions:
Mountain Lion: ntp-77.1.1
Apple hasn’t had the best luck with security in recent months, which is unusual as the firm is renowned for its tough defenses against the vulnerabilities that affect operating systems like Windows.
The company beefed up its iCloud security in October, adding per-application passwords for third-party apps that don’t support two-factor authentication following the high-profile celebrity iCloud hack in September.
The most recent addition is app-specific passwords to guard against exposure of a user’s iCloud details.
Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.
According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.
They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.
The instructions for reassembly of the app arrive through a phone-home after the app is installed.
The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
A list of 27 user names and encrypted passwords allegedly for an Apple website was posted to the Internet over this past weekend along with a warning from hacker group Anonymous that the Cupertino-based computer maker could be a target of its attacks.
The list was posted to the Pastebin website, a hosting site for text files, by an unknown user under the title “Not Yet Serious.” It wasn’t immediately clear if the user is a member of the Anonymous hacking group, but the existence of the file became widely known after Anonymous linked to it in a Twitter message.
“Not being so serious, but well,” the message read before linking to the PasteBin page. “Apple could be target, too. But don’t worry, we are busy elsewhere,” the message said.
The data appears to be a set of user names and encrypted passwords from an SQL database for an online survey at the Apple Business Intelligence website. The site is currently offline.
Apple did not immediately respond to a request for comment.
In an apparently unrelated posting, a Lebanese grey-hat hacker called idahc_hacker said he had found vulnerabilities on another Apple website. The SQL injection and iFrame code attacks can be used by hackers to gain unauthorized access to data.
Grey hat hackers do not normally hack for malicious purposes and the Lebanese hacker did not post and data obtained from the site.
In pointing out the hacks, he said he was not part of Anonymous or LulzSec, an allied group that disbanded recently.
Japanese video game maker Sega Corp said on Sunday that information belonging to 1.3 million customers has been stolen from its database, the latest in a string of global cyber attacks against video game corporations.
Names, birth dates, e-mail addresses and encrypted passwords of users of Sega Pass online network members had been hacked into, Sega said in a statement, though payment data such as credit card numbers was safe. Sega Pass had been shut down.
“We are deeply sorry for causing trouble to our customers. We want to work on strengthening security,” said Yoko Nagasawa, a Sega spokeswoman, adding it is unclear when the firm would restart Sega Pass.
The attack against Sega, a division of Sega Sammy Holdings that makes game software such as Sonic the Hedgehog as well as slot machines, follows other recent significant breaches including Citigroup, which said over 360,000 accounts were hit in May, and the International Monetary Fund.
The drama surrounding the recent round of video game breaches paled compared to what PlayStation maker Sony Corp experienced following two high-profile attacks that surfaced in April.
Those breaches led to the theft of account data for more than 100 million customers, making it the largest ever hacking of data outside the financial services industry.
Sega Europe, a division of Sega that runs the Sega Pass network, immediately notified Sega and the network customers after it found out about the breach on Thursday, Nagasawa said.
Lulz Security, a band of hackers that has initiated cyber attacks against other video game firms including Nintendo, has unexpectedly offered to track down and punish the hackers who broke into Sega’s database.