The recent NTP (network time protocol) security update from Apple was the first that Apple silently pushed to users, updating their systems without first notifying them of an available update and then requiring users specifically go to the App Store to install it; however, while intended for swiftly updating supported versions of OS X, this does not patch versions of OS X that are no longer supported by Apple.
This automatic approach was taken for the NTP update for several reasons. For one, it simply required a small file change and a re-launch of a background process, so there was no need to interrupt users in the middle of their work. In addition, the network time daemon is an essential part of an operating system’s security, since proper time synchronization between your Mac and other servers is required to establish some encrypted connections.
The update, which simply replaces the ntpd daemon (the program that runs in the background), will have replaced the file with the following versions on Apple’s supported OS X platforms, and fixes the critical flaw that allows for arbitrary code execution in the OS:
Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1
what /usr/sbin/ntpd
This command will show Apple’s build version of ntp, which can be compared to the above versions. While Apple only supports Mountain Lion through Yosemite for this update, since the flaw is a long-standing one in ntp, it will affect prior versions of OS X, including Lion and Snow Leopard, which a number of people still use. If you are one of these users, then you can check the version of ntp on your Mac with the following command:
ntpd --version
If the version output is less than 4.2.8, then you will need to update it, which you can do by first making sure you have a full and complete backup of your Mac. Then download the latest version of XCode for your Mac from Apple’s Developer Site (version 3.2 for Snow Leopard) followed by performing these steps (copy and paste Terminal commands from here to the Terminal window to run them):
1. Download the latest version of NTP from the NTP Web site, or click here for a direct link.
2. Go to your Downloads folder and double-click the tar.gz file to open it, so it now appears as a directory in your Downloads folder.
3. Download this patch file to allow compilation on OS X (leave it in your Downloads folder).
4. Open the Terminal in Applications > Utilities and run the following command to change to the NTP source directory:
cd ~/Downloads/ntp-4.2.8
5. Apply the patch by running the following command:
patch -p0 <~/Downloads/patch-ntpd-ntp_io.c.diff
6. Configure the installation by running the following command (be sure in this command that there are two dashes preceding the word “prefix”):
./configure --prefix=/usr
7. Compile the source with the following command (you will see a lot of text appear when run):
make
8. Install the source, by running the following command (supply your password when prompted):
sudo make install
After you have completed step 8, reboot your Mac, and then use the command above to check the version of NTP installed on your system. This should now read version “4.2.8@1.3265″ and should provide you with a version of the ntpd daemon that is fully patched.
There is an already patched for OS X version 4.2.8p1-beta1 available from http://support.ntp.org/bin/view/Main/SoftwareDownloads.
Note that if you try “ntpd –version” on Mountain Lion, Mavericks or Yosemite after using the Apple Security Update it will still say version 4.2.6. Apple has apparently decided to provide the fix using a different mechanism, which isn’t that unusual.
After downloading and unpacking ntp-4.2.8p1-beta1.tar.gz, I have the folder ntp-4.2.8p1-beta1.. How is this installed? I have a handful of Lion machines I want to patch. TIA
Normally it will unpack in the same directory as the downloaded file. If note, replace “Downloads” in the strings provided by Topher: “cd ~/Downloads/ntp-4.2.8″ and “patch -p0 <~/Downloads/patch-ntpd-ntp_io.c.diff" with the directory or path you use (in my case, it's "Desktop")
Change Step 4 to:
cd ~/Downloads/ntp-4.2.8p1-beta1.tar.gz
Skip Step 5 and go through Steps 6, 7 & 8.
I’m running Yosemite 10.10.1.
Whenever I run the command “what /user/sbin/ntpd” in the Terminal, I get the message “No such file or directory.”
The should be “usr” not “user”. So copy and paste this
what /usr/sbin/ntpd
Thanks! It worked like a charm.
I had copied the command from the article, should have noticed that “e”.
Thanks again
Oops…typo on the “usr” part of the command. I’ve updated it.
Slight typo. It should be what /usr/sbin/ntpd not what /user/sbin/ntpd.
Also, on my patched Yosemite 10.10.1 the command ntpd –version results in Ver. 4.2.6 not 4.2.8 so I’m, not sure what gives. The what command does result in ntp-92.5.1 however.
See the second comment of my first post. Apple chose to keep v4.2.6 for whatever reason and accomplish the fix in their own way, so as long as you have ntp-92.5.1 your good to go.
FYI, if you attempt to compile NTP in a folder/directory where the pathname includes a space, ./configure –prefix=/usr will fail with the error indicating a problem with genLocInfo and examining genLocInfo.err will show that the script didn’t quote the pathname properly so the pathname breaks at the first whitespace in the name (and would also likely break with various special characters) … kind of lame, actually.
Easiest fix is to simply eliminate the space(s) from the pathname. If you followed the instructions in this article “to the letter” (yes, the pun _is_ intended), then you won’t experience this issue (but some of us like to keep things around so will not do the compile in the Downloads folder).
Hope this helps someone.
FYI, I used these instructions on OS X 10.5.8 and they seem to have worked just fine.
Thanks.
Yes they should work on most versions of OS X. I only specifically tested it out on 10.6 and 10.7 installations.
Everything ran fine on my 10.6.8. Just a curiosity: the new ntpd version is -o. What does this -o mean?
As noted before, works just great for 10.5.8 PPC; any chance to make this into a Mac Installer package?
Don’t really know what I am doing but I cooked something up with XCode’s PackageMaker
I am curious how you determined that the only patch (diff file) needed to fix this ntpd security problem was for ntp_io.c.
I think you may have misinterpreted what was said. The folks at ntp.org came up with the original fix which was ntp 4.2.8, but when users attempted to compile the source code for OS X and FreeBSD, it failed to compile ntp_io.c and Bug 2697 was filed against it. The patch from ntp.org fixed the problem for OS X and presumably for FreeBSD, as well. Details are at http://bugs.ntp.org/show_bug.cgi?id=2697.
To fix Lion and below you need both ntp 4.2.8 and the patch for ntp_io.c. As I mentioned earlier, the patched version is ntp 4.2.8p1-BETA.
Version 4.2.8 fixes the problem. The patch file allows the source to properly compile in OS X.
Someone could do a script-application to do it with a simple click. You know, it is Mac!
Done, but I’m a neophyte, and it is ‘use at your own risk’
Detail: Topher’s instructions do work, but apparently they have to be done from an admin account. Some weeks ago, I followed his advice to create a dummy admin account and turn my one and only main account into a regular account, for security reasons. Well, this patching thing did not work from my main/regular account.
Yes, you need to be an administrator to run the very last command, ‘sudo make install’. That’s because the administrators are the same “sudoers”, i.e., those authorized to run sudo.
The obvious workaround is to log into the admin account you created to run the procedure. If you absolutely don’t want to do that, you can run all the previous steps in your non-admin account, and before running the last one type ‘su my-admin-account’, where you use the login of your admin account instead of my-admin-account.
You will get a couple of errors (because the admin is by default not allowed to read into your Downloads folder), but since the command you need runs under “sudo” that is inconsequential.
What I did, actually, was copy everything (including a text file where I’d copied and amended the different commands) into the admin account’s DropBox, rebooted as samesaid admin and moved the copied items to the Desktop (which I use as Download folder). There was one more error, when it turned out that I had to unpack the ntp.tar.gz file once again because some of the previously files unpacked had been modified during the aborted attempt in the regular account.
Ok, since I had no need to track ntp releases I didn’t know that the *entire* 4.2.8 release was to address the security fix. I am using 10.6.7 (can’t use 10.6.8 due to sleep crash problems I think involving 5870 video drivers — I have a 2010 mac pro with a 5870).
I built 4.2.8 with the patch as described above with no problems. I installed into a test copy of my 10.6.7 and it appears to work. However when I do a ‘ps ax | grep ntpd’ I see two instances of ntpd processes. Since the installation doesn’t change the launch deamon, ntpd-wrapper, ntp-restrict.conf, or ntpd-wrapper I am at a loss as to why I am seeing this. I don’t see it in my untouched 10.6.7.
As I said the updated 10.6.7 appears to work. But it bothers me why there are two ntpd processes (although I think one comes and goes since sometimes I see only one, but two most of the time). Maybe it’s a natural byproduct of using ntp 4.2.8 although I don’t see how at the moment. Unless others are seeing this too and confirm it I will have to do some more testing tomorrow (since it was evening when I did build and initially tested this stuff).
Hi,
I am trying to install this following your commands on my 10.6.8.
When doing
patch -p0 <~/Downloads/patch-ntpd-ntp_io.c.diff
I get
-bash: /Users/markus/Downloads/patch-ntpd-ntp_io.c.diff: No such file or directory
any ideas?
Thanks in advance!
Markus
Check your ~/Downloads folder. Is there a file called “patch-ntpd-ntp_io.c.diff”? If there is, call an exorcist. If not, repeat step 3, verify that the file is created there, and proceed.
Maybe your browser is setup to download files to a folder other than ~/Downloads?
Oh, I see you solved your problem in a different thread. Nevermind. Cheers!
One need to take off the hidden .txt from patch-ntpd-ntp_io.c.diff
Did you cd into the ntp-4.2.8 directory before applying the patch?
Hi,
Yes.
$ pwd
/Users/markus/Downloads/ntp-4.2.8
ntp-4.2.8 $ ls patch*
ls: patch*: No such file or directory
Downloads$ ls patch*
ls: patch*: No such file or directory
Thanks!
OUPS! You are right!
Thanks!
Hmm, looks to me like you didn’t download the patch file (patch-ntpd-ntp_io.c.diff) as described by step 3 in the build instructions. That or you downloaded it into some place other than your downloads dir.
OUPS! You are right!
Thanks!
Which part of Xcode do you install, just the Xcode part?
You don’t need the iOS stuff, if that’s what you want to know
Is “Essentials” enough do I also need “System Tools” and “Unix Dev Support” ?
Well, as things are, I’ve had XCode installed forever on the first machine, when I applied Topher’s patch. On another machine I had to install it from scrap after downloading it, and I selected everything _except_ iOS whatever in the custom install. It worked, more I cannot tell. But I understand that you might run into a space problem.
You have to install both Xcode and command-line tools for this to work.
on 10.6.8 , after step 6 (./configure –prefix=/usr), I got this stuff:
___
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for a thread-safe mkdir -p… sntp/libevent/build-aux/install-sh -c -d
checking for gawk… no
checking for mawk… no
checking for nawk… no
checking for awk… awk
checking whether make sets $(MAKE)… no
checking build system type… i386-apple-darwin10.8.0
checking host system type… i386-apple-darwin10.8.0
checking for style of include used by make… none
checking for gcc… no
checking for cc… no
checking for cl.exe… no
configure: error: in `/Users/ralph/Downloads/ntp-4.2.8′:
configure: error: no acceptable C compiler found in $PATH
See `config.log’ for more details
_____
then I typed “make”, but the aswer is:
“-bash: makefile: command not found”
Please, do you have any explanation? what did I do wrong?
Thanks
The last answer was about my “makefile” input (I tried either “make” or “makefile”),
Are you sure you have XCode installed?
Yes, of course… version 3.2.6.
I tried to type “man gcc” but it did not find anything… weird…
do I have to reinstall the entire Xcode package??
The Xcode folder on my hd is 10.4 gb… I cant believe that something is missing.
3.2.6 here too, but the app is only 8.2Mb, whereas the whole Developer folder is 2.18Gb. I assume you have the Developer folder at the root, and that you’re working from an admin account?
@TINGO
yes, DevFold at the same level of the System Folder and, yes I even tried as administrator…
@Leo — offhand, I can’t think of anything else, sorry to say.
See my own wandering about after I had same as you.
Probably it is the same thing that Roger P. mentioned as “Unix Dev Tools”.
I had the same problem with Snow Leopard, although Xcode had been installed with other Developer files. I am not a Unix person, and it appears that when I installed Xcode 3.2.6 three years ago, I unchecked the “UNIX Development” option, since upon installing it and executing the “./configure -‐prefix=/usr” command, the C compiler was located and all was well.
On Lion, I have exactly the same problem as Leonardo with the C compiler not found.
On Snow, I have something strange, I cannot event install Xcode, it want’s me to close iTunes, when iTunes is not open … and does not finish installing.
I’m stuck on both computers.
Topher told me NOT to copy the installer package from the downloaded DMG before running it. You need to run the downloaded installer on the DMG image itself.
What I’d like to know is can we just install the “Essentials” option and skip the rest?
On SnowLeopard, I stopped iTunesHelper from automatically starting with the session, and after reboot I could install Xcode (or may be it is just the reboot that changed the situation but I doubt) and then the rest went fine.
On Lion, I am still stuck, like some others obviously.
One thing I noticed on Lion : there is no “Developer” directory at the root. Package is just copied to Apps like any other software and “Developer” stays inside.
Got it…
Xcode 4 did work for both Lion and Mountain Lion, but relevant “command line tools” are “OS X Lion” (or OS X Mountain Lion) dedicated and must be downloaded separately.
This can be done either from the apple developer site directly or by opening Xcode and going into preferences where extra downloads can be triggered.
This doesn’t work on Lion 10.7.5. Please explain where XCode is initiated in this process/
Something new here: I am asked by the system’s Firewall if I want ntpd accept incoming network connections. However, ntpd was _not_ among the applications previously registered there. Anything suspicious?
thank u and my core duo macbook (unupgradeable) thanks you
Now this is what I got:
configure: error: C compiler cannot create executables
See `config.log’ for more details
It turned out that the Unix Dev Support part of Xcode installation is needed, so I downloaded it and everything worked.
I guess it’s best to work these things out oneself, so there’s learning going on.
Have a great New Year everyone and a big thank you to Topher.
After applying the patch is it OK to trash the
ntp-4.2.8 files and the patch-ntpd-ntp_io.c.diff
in the Download folder?
Thank you very much fot the patch. I applied it and look slike I now got the last revision installed.
Though, I got one question : how to properly restart ntpd deamon using the command line (I guess we need to, don’t we ? ).
Last but not least, I’ll have a look at some warnings. Cannot promise to send a patch, but some need to be fixed -in my opinion – Can someone confirm they are fixed in more recent versions ? TIA (FYI, contact is valid)
Best regards, and best wishes for the festive season !
—
ericb
> Last but not least, I’ll have a look at some warnings. Cannot promise to send a patch, but some need to be fixed -in my opinion – Can someone confirm they are fixed in more recent versions ?
Don’t worry about warnings. I don’t recall a single cross platform compile that didn’t have some and sometimes hundreds. As long as there were no errors, I have never had a failure.
And no, the BETA version did not fix a single one.
I am not knowledgable, but I was able to follow these instructions easily to patch two Snow Leopard macs. However I also have Snow Leopard Server running on one of the machines under Parallels. I have been unable to patch that, as were Leonardo and (initially) Philippe. Following Philippe I tried stopping the launch of iTunesHelper, but that didn’t enable the installation to complete. On configuring the installation (./configure –prefix=/usr) the process fails with an error message ending with “no acceptable C compiler found in $PATH”. Here’s the whole response:
mattserver$ ./configure –prefix=/usr
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for a thread-safe mkdir -p… sntp/libevent/build-aux/install-sh -c -d
checking for gawk… no
checking for mawk… no
checking for nawk… no
checking for awk… awk
checking whether make sets $(MAKE)… no
checking build system type… i386-apple-darwin10.8.0
checking host system type… i386-apple-darwin10.8.0
checking for style of include used by make… none
checking for gcc… no
checking for cc… no
checking for cl.exe… no
configure: error: in `/Users/mattserver/Downloads/ntp-4.2.8′:
configure: error: no acceptable C compiler found in $PATH
See `config.log’ for more details
Any help available?
The iTunes trick was for the installation of xcode itself. The problem with C compiler was solved by adding command line tools to xcode.
Thanks very much, Philippe, but can you explain where you found command line tools for 4.28 and how you added them?
As I said in another comment, on Lion, I opened Xcode and when in preferences on the download tab to download this extra. On Snow, I had everything in the same package and did not had to install separately.
Need to patch two 10.6.8. I’m getting “command line not found” — am stuck, as even though I’ve read all the comments, I don’t see command line tools for Snow Leopard online. HELP please — not at all conversant with playing around under the hood here.
I had the same problem. Turns out that you need to download all parts of Xcode 3.2
And you also need to install it from the opened dmg. Do not remove it to your desktop to install it.
That’s it. Should work.
Ugh. You guys are talking way above my pay grade. Might I suggest that you update the initial instructions to specifically say download AND INSTALL the latest version of Xcode? Because right now it doesn’t say that.
Everything compiled perfectly after I did that.
Is there a reason to download and NOT install???
LOL, no, of course not — I feel like a complete idiot! But the directions were so specific in other areas (double-click on this file, download that file, etc etc), and I was so nervous about the whole process — first time ever using Terminal — that I was following every sentence to the letter, taking care not to deviate.
Sympathy
Thank you Topher. Running Snow Leopard and this worked for me logged in as my root account (omitted sudo element on last command).
I did have a problem installing Xcode using my normal admin account which failed twice. Logged in as root and it worked (might have been the reboot but I will never know).
My 2006 intel iMac will not support OSX update and security becoming a concern so this has been very useful for me. I have already removed Safari and have boot camped Windows 7. It’s disappointing that Apple no longer supports my iMac but Microsoft does!
Thank you so very much for this. I tried to configure and make this for a couple of hours the other day with growing frustration. It was only after your instructions here that I suddenly realized I was applying the patch improperly.
again—THANK YOU!
found this link check this out. it is much more easier than the instructions mentioned above:
[link removed — please only use links as citations for complete content/instructions re-posted here]
No way…yes its ultimately the same process as Topher mentioned, but that link is more convoluted (way more, in fact).
The instructions Topher provided are FAR more straightforward. After ensuring you have XCode installed, you just download the two files, open the zipped one, and then run the five commands in order. It worked perfectly for three Macs running Snow Leopard for me.There’s no point in recommending alternative and more complex instructions to get this done.
Just want to double check- there is nothing else I need to do after successfully following all the above steps, yes? I don’t have to change something in system preferences or anything? Thanks in advance, and a big thanks to Topher.
You are done unless you previously turned off auto time setting in System Prefs.
Took me most of the weekend, but I finally got it fixed throughout my system, even in the Parallels volume, which will ultimately be the important one.
Turns out that in the Parallels volume I had an improperly installed, and perhaps otherwise corrupted system extension “/System/Library/Extensions/AppleUSBEthernetHost.kext”. I reinstalled (a somewhat later version) and then everything proceeded as described above.
Thanks very much Topher, and also Leonardo, and Philippe, I’m a big step closer to updating my system software, while maintaining a Snow Leopard volume under Parallels.
@Matthew Tolchin:
May I ask you: how do you proceed in order to re-install “AppleUSBEthernetHost.kext” by itself, later version or not?
I’m occasionally experiencing some funny things with this extension (allegedly corrupted according to Disk Utility verify, but then no longer the case — too long a story outside of the range of this post)
You guys might want to take a look at the discussion related to using ntp 4.2.8 over in the Apple Discussions Forum starting on page 3 (from xyzzy-xyzzy).
https://discussions.apple.com/thread/6739506?start=30&tstart=0
Apple just release a Snow Leopard version of Xcode version 3.2.6.
It’s available via Software Update.
So now what?
Should we down grade our 4.28 to 3.2.6 or is that even possible?
Sorry, my error. We already have Xcode 3.2.6 thanks to Topher.
The NTP patch is 4.2.8.
I need some rest.
Have a Happy New Year everyone.
Thank you a bunch for posting this very clear set of instructions. I got one Snow Leopard drive updated today. Two more to go.