On Monday, December 22, Apple released a critical security update designed to a address a vulnerability in the Network Time Protocol daemon (ntpd) of OS X. All Yosemite, Mavericks, and Mountain Lion users are urged by Apple to install the update as soon as possible.
The update fixes an issue that was addressed by the US Government Friday and originally discovered by the Google Research Team. From a Department of Homeland Security website:
Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
This vulnerability could allow an attacker to execute arbitrary code with the privileges of the ntpd process. This vulnerability is not exclusive to OS X machines. The Network Time Protocol is one of the oldest internet protocols and is widely used by networked devices around the world today. You can download this update from the App Store from your Mac.