Apple 第一次的自動強制更新就給了這次的 ntpd 安全性問題 CVE-2014-9295:「Apple pushes first ever automated security update to Mac users」。
A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the
ntpd
functionscrypto_recv()
(when using autokey authentication),ctl_putdata()
, andconfigure()
. The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of thentpd
process.
這次的問題比較刺激...