It doesn't feel like there's been a lot of decisive action related to cybersecurity lately. So perhaps just for a change of pace, Apple released its first automatic security update ever on Tuesday. At some point during the day, Macs all over the world showed a notification that a security update was complete. No checking or clicking required.
The update addressed a vulnerability related to the network time protocol (NTP) in OS X operating systems. NTP synchronizes clocks within a computer and also across the global Internet. The bug, which was revealed by the Department of Homeland Security and Carnegie Mellon on Friday, could allow hackers remote access to affected computers. Apple products were listed among many others as being potentially vulnerable.
Usually software vendors, including Apple, make users manually download security updates. But this approach requires consumers to actually go through the update process. Since lots of people can't be bothered to do that, many computers remain vulnerable to bugs that have patches available. Apple added universal automatic updates about two years ago, but this is the first time the company is using the feature.
Apple spokesperson Bill Evans told Reuters that, "The update is seamless ... It doesn’t even require a restart." He added that Apple pushed the automatic update because it felt the vulnerability was significant, though the company has no evidence of hackers exploiting the bug in its products.
It's hard to know exactly how Apple made the call that this was the vulnerability it was going to use automated updates for. All the more so since there have been a few serious bugs in Apple's products this year that were addressed with the usual user download approach. On the other hand, the U2 incident shows just how judicious Apple needs to be when it comes to automatic downloads.