Apple has released security updates for OS X Mountain Lion, Mavericks, and Yosemite to address multiple vulnerabilities in the Network Time Protocol daemon. Exploitation of these vulnerabilities may allow a remote attacker to take control of a vulnerable system.
JPMorgan Chase was among five banks that were reported to have been hacked earlier this year, and details have emerged on how the hack took place.
When news first broke in August, it was believed that a zero-day Web server exploit was used to break into the bank's network. Now, however, The New York Times is reporting that the entry point was much more mundane: a JPMorgan employee had their credentials stolen.
This shouldn't have been a problem. JPMorgan uses two-factor authentication, meaning that a password alone isn't sufficient to log in to a system. Unfortunately, for an unknown reason one of the bank's servers didn't have this enabled. It allowed logging in with username and password alone, and this weak point in the bank's defenses was sufficient for hackers to break in and access more than 90 other servers on the bank's network.
After being hacked, threatened, chastised, and then apparently forgiven, beleaguered Sony Pictures is expected to announce that it will in fact go ahead with a theatrical and video-on-demand release its hot-button film The Interview on Christmas Day, according to numerous sources (including the Twitter accounts of various theater chains).
The stoner comedy, which stars James Franco and Seth Rogan as reporters who are tasked with killing North Korean "dear leader" Kim Jong-un in a weed-fueled assassination plot, was originally shelved by Sony Pictures after the "Guardians of Peace" group claiming responsibility for Sony Pictures’ hack made terrorist-style threats against theaters that dared to show the movie. However, The Wrap now claims that Sony Pictures has fully recanted and will make an announcement today about a Christmas Day theatrical release for The Interview, as well as distribution on an unspecified video-on-demand service.
It’s unknown if Sony Pictures’ decision has anything to do with the statement issued last Friday by Guardians of Peace consenting to the movie’s release—on the condition that the scene in which Kim Jong-un is actually killed be excised (or at least toned down so that it isn’t "too happy;" the exact intent of the language is unclear).
Most OS X security updates are issued alongside other fixes via the Software Update mechanism, and these require some kind of user interaction to install—you've either got to approve them manually or tell your Mac to install them automatically. Apple does have the ability to quietly and automatically patch systems if it needs to, however, and it has exercised that ability for the first time to patch a critical flaw in the Network Time Protocol (NTP) used to keep the system clock in sync.
This security hole became public knowledge late last week. When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system. If you allow your system to "install system data files and security updates" automatically (checked by default), you've probably already gotten the update and seen the notification above. If not, Mountain Lion, Mavericks, and Yosemite users should use Software Update to download and install the update as soon as possible. The flaw may exist in Lion, Snow Leopard, and older OS X versions, but they're old enough that Apple isn't providing security updates for them anymore.
While this was the first time this particular auto-update function has been used, Apple also automatically updates a small database of malware definitions on all Macs that keeps users from installing known-bad software. That feature, dubbed "XProtect," was introduced in Snow Leopard in response to the Mac Defender malware and has since expanded to include several dozen items.