Apple's automatically-installing update saved consumers this time, but it could backfire in the future
Apple has automatically pushed an update to its desktop computers meant to fix a vulnerability in the Network Time Protocol (NTP) which keeps the clocks of Internet-connected devices in sync with each other. The vulnerability, which was discovered by Google researchers and disclosed earlier this month, could have let attackers gain remote access to these devices.
This is the first time Apple has pushed a security update that consumers didn't have to choose to install. The update didn't even require a restart during the installation process -- many computers probably downloaded and installed it without their owners knowing. And that raises questions about when and how security updates should be released.
As Tripwire security analyst Ken Westin explained the problem to CNET:
'Apple's proactive steps to automatically remediate this particular vulnerability shows the need to quickly patch remotely exploitable vulnerabilities. However, the use of Apple's automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case the update may have been so minor the risk of affecting other applications and processes was minimal.'Knowing that Apple can choose to automatically install software on its computers, even if that software is meant to patch a serious vulnerability like this one, is also troubling because others might be able to abuse the same mechanism with more nefarious intent.
One of the first things anyone hoping to keep a device secure is told to do is disable anything that allows software to be downloaded, installed, or run without user input. That means making sure items downloaded via a Web browser don't open themselves; tools in the browsers don't run without permission; and updates wait to be summoned.
Apple does allow this feature to be disabled through the Mac's main System Preferences menu. But it's enabled by default, and most consumers don't crawl through a device's settings looking for boxes to uncheck, so many probably don't know this feature exists.
The ability to push a security update worked this time, but it raises more questions about what people can expect their computers to do without their permission or knowledge, and shows Apple must do a better job communicating with users. An email about the update, or a notification on affected devices; anything would have worked.
Apple finally did something right for its consumers by fixing this problem before a Mac was attacked via the NTP exploit, but in doing so, it also showed that even well-intentioned security features are double-edged blades just waiting to cut their wielders.
[Update 08:44am: Almost an hour after this post was published, Apple sent a push notification to my computer telling me "a security update" had been installed.]