December 23, 2014
For those of you who keep an eye out for weird pop-ups and messages, you most likely noticed a Notification or Growl message that “A critical security updated has been applied.”
When I saw that, I had a moment of panic, as I had – up until now – told OS X that I wanted to manually install patches, updates, and fixes. So this message out of the blue was a bit of a shock. After some online research (and with help from some great Twitter friends like @UberBrady ) I was able to get to the bottom of it.
First things first, if you upgraded to Yosemite from earlier versions of OS X, most of your preferences came over – but one very important one was added and is turned on by default. OS X starting in Yosemite includes an “emergency update system” that automatically downloads and applies any patches that Apple believes to be extremely critical security fixes. They have, to date, only classified one such patch in that category, and this was it. This critical update system is ENABLED by default, and frankly you should leave it enabled. But if – for some reason – you need to turn it off, jump over to Apple Menu| System Preferences| App Store and you’ll see the settings for auto-updates, including the relatively new one for emergency patches labeled “Install system data files and security updates”:
Even though this would appear to be for a lot of patches, note that you’ll still have to download and install “optional,” “Important,” and other patches manually if you do not check the other two boxes.
Now, onto the particulars of the update:
Apple recently announced a fix for a Network Time Protocol (NTP) system in OS X. The bug could allow an attacker to take control of system resources (which is a bad thing) with relatively little effort (which is a HORRIBLE thing). This means un-patched systems are vulnerable to attack and need to be patched immediately. Luckily, if you haven’t changed the defaults, Yosemite will patch it automatically as described above.
A more detailed explanation of what the vulnerability is can be found on Apple’s Site.
So, have no fear, the unexpected Notification is not, itself, and attack. Rather, it’s a new feature in OS X designed to help protect against attackers, and was just rather well hidden – and never before used – up to this point.