Is Apple Really Updating Your Mac Without Permission?
December 24th, 2014The headline was frightening in its implications, particularly at at time when it appears that your personal privacy is under assault. It started with something that’s good, which is Apple releasing an update to deal with a newly discovered and severe security vulnerability given the number CVE-2014-9295. The security lapse impacts the network time protocol (called NTP for short) that’s designed to sync the clocks on Macs and other Unix-based computers including Linux. So Apple isn’t alone.
So what’s the danger? Well, this vulnerability means that hackers could take control of your computer remotely. It doesn’t mean they will, but the potential is there. This is unlike most other security problems that require direct access to your Mac to gain control, so we’re talking of something that could be far more serious, although there’s no indication anyone’s been compromised.
The revelation came last Friday from the U.S. Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute. So we’re not talking about a security software company that might be trying to hype a few app sales to protect you. Regardless, Apple fixed the problem Monday with a “silent” update, meaning it was automatically pushed to your computer. You didn’t even need to restart, although the Notification Manager in recent OS X versions, such as Yosemite, would report that the update was happening and that it completed.
This seems to be a pretty benign development. You didn’t have to do anything to be protected. Indeed, Apple has been silently updating malware detection strings for several system versions, and there haven’t been complaints, probably because the updates aren’t usually widely mentioned. This time, we have a genuine freakout from CNET, a long-term tech portal currently owned by CBS Interactive. That’s the same CBS that owns Showtime and a certain broadcast network, among other things.
The warning? Well, that automatic updates aren’t risk free, that there is the potential to cause problems with apps and processes. At least that’s the danger, although it doesn’t seem as if these updates have been the source of any complaints.
So where’s the fear-mongering? Well, it starts with the headline, “Apple updates Macs for first time without asking — to foil hackers.” And, no, I am not posting the link. You can easily look it up if you want.
But it’s not the first time. It happens any time those malware detection strings are updated or added to. As for regular software updates, consider the options offered in the App Store preference pane in OS X Yosemite. You have four interrelated options under, “Automatically check for updates,” that include the options to download updates in the background, install app updates, OS X updates, and system data files and security updates.”
The NTP bug fix clearly fits into the latter category.
What this means is that you can uncheck any of these options at any time and not receive any relevant updates unless you go direct to the App Store and select the ones you want. You have full control, and Apple isn’t going to infringe on your privacy. But if you choose to have everything done in the background, so be it. This setting will probably not cause you any trouble, though I suppose an app or OS X update might cause trouble. If you want to be cautious, just say no. It’s a real simple process.
What’s more, if you have iOS gear, you’ve already been able to have app updates downloaded and installed automatically in the background beginning with iOS 7. It’s an option in the iTunes & App Store settings. A simple tap for each category will turn off the automatic settings. So Apple isn’t forcing any uninvited updates on your iPhone or iPad either.
To be fair, the CNET piece does explain how to turn off the automatic install options on a Mac. So the claim that Apple is foisting something unwanted on you in the headline is shown by the end of the article to be fundamentally false.
Certainly you have the right to be concerned about someone pushing downloads to you that you don’t expect, and maybe don’t want, but Apple is giving you full control. If you do opt to do it all manually, perhaps Apple could be more proactive about it and put up a warning prompt if a critical update that impacts your security is available to install. That way, you can dismiss the reminder, install the update, or just go about your business if you prefer to ignore the warning.
But when people want to tell you that Apple might be doing something suspicious in pushing updates to your Mac behind the scenes, they are just plain wrong. That the article contradicted itself makes it doubly certain the graphic headline was meant as hit bait, not to legitimately inform the public about Apple’s update and update policies.
In any case, my Mac isn’t smoking as a result of having that update sent to me. I don’t think yours is either.
Print This Post
Sorry, Gene, but I have to disagree with you. I think there are some ethics problems here, beginning with the fact that my Mac belongs to me and not to Apple, so that Apple is messing with my personal property without obtaining my permission. Sure, Apple’s motives were entirely benign. But if Tim Cook broke into my house just to leave a chocolate cake on my dining room table he’d still be breaking into my house, right? The motive wouldn’t entirely excuse the illegality of the deed, and something not entirely dissimilar is happening here.
So the CNET article tells us how to disable this feature. Fine and dandy, but Apple itself provides no similar information. If there were a clearly marked auto-update option in iTunes and the App Store, the ethical problem would go away. What’s disturbing is that Apple is taking no responsibility to inform us. This ability is kept so quiet that it’s almost relegated to the status of an Easter Egg. And anyway, a far better way to handle auto-updating would be to make it an opt-in feature rather than an opt-out one.
In all kinds of ways, large and small, Apple’s relationship with its customer base has always had paternalistic and kind of Big Brother-ish tendencies, reflecting a corporate attitude that Apple knows what’s good for us better than we do. Plenty of people have squawked that they find the auto-update feature in Chrome obnoxious, and I don’t see how there is a world of difference between what Apple just did and that. One would hope that Apple operates according to a better set of corporate ethics than what we have learned to expect from Google.
This fits in with a more general pattern of paternalism on Apple’s part. In its interface, for example, it insists on trying to shoehorn us all into a one-size-fits-all look and feel that Jony Ives happens to like, rather than allowing us individuals users to make our own choices (case in point: a couple of years ago the Appearance panel of Safari’s Preferences disappeared, taking away our ability to choose the font and font size in which we view pages, now the way we do that is dictated by Cupertino). To me, its empowerment of the individual user that personal computing has to offer is a beautiful thing, so I regard Apple’s paternalistic streak as its ugliest corporate feature. What Apple just did carries that tendency another step further.
Another thing. This incident came hard on the heels of the iOS8.01 screwup, and Yosemite also has problems waiting to be cleaned up. So this came right after we received vivid reminders that Apple is sometimes capable of putting out bad software. If Apple continues to use this auto-update technology, what’s to prevent it from using it to push defective software at us? Surely anybody who owns a Mac has a right to be disturbed by this possibility and see it as a potential threat.
@dfs, While I cannot vouch for everyone’s installation, these auto-update options were not all turned on by default on my Macs.
Also, Apple makes it very clear how auto-update is configured in this document (which I found with about 20 seconds of searching):
http://support.apple.com/en-us/HT201541
Peace,
Gene
I think we can see how benign this update was by watching dfs’ contortions trying to explain why they weren’t. The very simple truth is that a lot of people don’t update, and certainly not in a timely fashion. Rather than have widespread favor, an update was pushed to your computer. Big deal. Nobody snooped at your pr0n or at your torrented movies. They just fixed a very simply bug that opened your computer to a great deal of mischief by people who could have done far worse than just look at your pr0n.
@The Cappy, When it comes to a critical security fix, getting that update onto everyone’s computer is paramount. If even a few are taken over by a remote attacker, you can imagine the havoc it can create. You can still turn preferences on or off as you prefer, and Apple isn’t hiding anything about what settings you can make.
Peace,
Gene
I looked for updates in the app store and it was clearly listed as needing to be installed as soon as possible……I have manual updates set up. In red on another line was a warning that if I didn’t update in a certain time frame it would update automatically.
Are there really people so pissed off at having a secure mac? Are there people who would not who would not install security updates?
dfs says: On
December 24, 2014 at 5:29 AM I have nothing better to do before 5:29 AM on Christmas Eve.
http://support.apple.com/en-us/HT201541
Thanks for the sanity check, because I was doubting mine. I saw all the articles about Apple overreach, but my recollection was that on two Macs, one running Yosemite and one Mavericks, I was notified that an update was available and I then did the manual updates as usual. My App Store settings are to auto-download but do no installs automatically. I don’t remember if I had to set those options or if they were the default.
Its CBS…..sensationalism vs information. A tech tabloid.
[…] A variety of articles have defined that Apple pushed an automatic safety replace to Macs this week; nevertheless it’s improper. Even John Gruber on Daring Fireball didn’t query this, however Gene Steinberg did, in an article on Tech Night Owl Live. […]
I was using an older Mac for legacy applications for legacy files. The older Mac was running- albeit briefly -after a recent move of residency on the same home network (but with it’s own separate ISP) as the newer Mac, which was delivered running Lion. Apple installed Lion on the older Mac, which Apple itself claimed the older computer incapable of running.
I had purposely deactivated all updates on the older Mac as I was using it solely for the legacy applications and files I needed to manually update, or keep archived in their native state.
Please contribute, if you can, on how that could not have happened.
Can you just restore the computer? I wouldn’t know what Apple did there.
Peace,
Gene