The recent NTP (network time protocol) security update from Apple was the first that Apple silently pushed to users, updating their systems without first notifying them of an available update and then requiring users specifically go to the App Store to install it; however, while intended for swiftly updating supported versions of OS X, this does not patch versions of OS X that are no longer supported by Apple.
This automatic approach was taken for the NTP update for several reasons. For one, it simply required a small file change and a re-launch of a background process, so there was no need to interrupt users in the middle of their work. In addition, the network time daemon is an essential part of an operating system’s security, since proper time synchronization between your Mac and other servers is required to establish some encrypted connections.
The update, which simply replaces the ntpd daemon (the program that runs in the background), will have replaced the file with the following versions on Apple’s supported OS X platforms, and fixes the critical flaw that allows for arbitrary code execution in the OS:
Mountain Lion: ntp-77.1.1
This command will show Apple’s build version of ntp, which can be compared to the above versions. While Apple only supports Mountain Lion through Yosemite for this update, since the flaw is a long-standing one in ntp, it will affect prior versions of OS X, including Lion and Snow Leopard, which a number of people still use. If you are one of these users, then you can check the version of ntp on your Mac with the following command:
If the version output is less than 4.2.8, then you will need to update it, which you can do by first making sure you have a full and complete backup of your Mac. Then download the latest version of XCode for your Mac from Apple’s Developer Site (version 3.2 for Snow Leopard) followed by performing these steps (copy and paste Terminal commands from here to the Terminal window to run them):
1. Download the latest version of NTP from the NTP Web site, or click here for a direct link.
2. Go to your Downloads folder and double-click the tar.gz file to open it, so it now appears as a directory in your Downloads folder.
3. Download this patch file to allow compilation on OS X (leave it in your Downloads folder).
4. Open the Terminal in Applications > Utilities and run the following command to change to the NTP source directory:
5. Apply the patch by running the following command:
patch -p0 <~/Downloads/patch-ntpd-ntp_io.c.diff
6. Configure the installation by running the following command (be sure in this command that there are two dashes preceding the word “prefix”):
7. Compile the source with the following command (you will see a lot of text appear when run):
8. Install the source, by running the following command (supply your password when prompted):
sudo make install
After you have completed step 8, reboot your Mac, and then use the command above to check the version of NTP installed on your system. This should now read version “firstname.lastname@example.org″ and should provide you with a version of the ntpd daemon that is fully patched.