Older Apple computers may be susceptible to a new zero-day vulnerability discovered by a security researcher, who found the flaw can be used to install rootkit malware that’s nearly undetectable and very hard to remove.
OS X security researcher Pedro Vilaca wrote about the discovery of the zero-day vulnerability on his blog over the weekend, detailing how it’s possible to tamper with Apple computers’ UEFI (unified extensible firmware interface), which is designed to improve upon a machine’s BIOS.
UEFI code is usually sealed off but Vilaca discovered that when Apple computers made before mid-2014 go to sleep and are reawakened, the code is unlocked and able to be modified.
Vilaca says the only way to defend against the vulnerability is to always shut your computer down and never let it go to sleep. A similar exploit, called Thunderstrike, was discovered last year, but Vilaca claims the one he found could be even more dangerous as it may be possible to remotely exploit the bug.
The attack was successfully tested on a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all running the latest EFI firmware available. Macs made in 2014 are not vulnerable, which could mean Apple already found the bug but hasn’t patched older models yet. We’ve reached out to Apple for comment but haven’t received a response.
Via: PCWorld
Buster Hein is a freelance writer who lives in Phoenix, Arizona. Twitter: @bst3r.
12 responses to “Older Macs are vulnerable to dangerous new bug”
Do you use a PAY^PAL ?????if you do you can get an additional 740 dollars at the end of every week in your Pay~pal account by working Online from comfort of your home for 3 Hours per day, —>
Do we need to worry yet??
Well you’d always need to worry about computer security. Keep the system updated to latest version. Keep system security settings to “allow application from Mac App Store and identified developer”. Don’t enable unnecessary service. Don’t trust download links from Google search result. Always download files from App Store or download directly from developers’ websites, and check the MD5 checksum of downloaded file if available. That’s the generic rules.
Currently there is no known-and-still-working security holes in Mac OS X system that attackers can exploit to breach your system from remote. But it’s impractical to expect any software being bug free. There is no one can promise you that there won’t be any zero-day attacks in the future. So always be cautious and try to avoid EBKAC.
BTW, the “RootPipe” issue someone had mentioned is a little bit misleading. The “RootPipe” issue is a bug in system API that involves dedicated calling sequence from native local processes; which means, you’d still need to initiate the malicious application manually. It is not possible that you just received some “wrong” email or clicked some “wrong” URL and automatically get infected.
Besides, “RootPipe” is in fact already patched by the second unnumbered security patch after 10.10.3 release, before the story hits news media. After I read that story, I’ve tested to breach my own system with RootPipe bug, but it doesn’t work anymore. You may want to try it yourself before making any judgement.
How is the exploit achieved though? Does the hacker need to be physically in front of the computer, or could you mess with the UEFI remotely (provided you had file sharing access)?
Theoretically, hackers is able to install a malicious firmware emulation code into the special sector on your hard drive, which will be accessed during the booting procedure. However, this is NOT something that you may got infected simply by receiving mails or clicking hyperlinks. It would require users to initiate the process, gain administration access, quit all applications, and reboot the system. So in real world they can only do this by faking system update installers. In other words, it’s an EBKAC.
Wrong.
The vulnerability is based on the fact that a simple stand-by/wake-up cycle turns off the firmware flash write protection.
If an attacker is able to get root access, he can compromise the EFI while OS X is running.
Overwrite firmware while all the userspace processes are running ? If my memory served me right, after OS X 10.4 firmware updates are not directly programmed into the chips, but writing to the booting sector of hard drive on some Mac models. Either way, it’s not possible to do this without suspending all the system resource access from system.
When did “mid 2014” become an “Older Mac”? (my mid 2010 just locked itself in the bathroom and won’t stop sobbing because of you, hey where did my razor blades go?)
So, beyond the fear mongering, how likely is this exploit to affect the average Mac user with a pre-2014 Mac? Will infection be possible by downloading Trojan-type files? Will it have to be a fake system update type of attack? What are the delivery methods and attack vectors we need to be concerned with? This article does nothing to give any usable information that can address the situation. Has Apple been contacted or delivered a statement about this? I have 5 computers that are pre-2014 in our graphic design business. I need information on what I can do to make sure my Macs are protected — but I also need to know what to avoid until Apple releases a fix. How possible or likely is an attack? All the article does is leave me with concerns.
This can only be a faked standalone system updater, since it needs to write malicious codes into the firmware emulation sector of your hard drive. You have to initiate the process manually and enter your administration password to make it work. So be cautious to downloads which claimed to be “Mac Firmware Update” on 3rd party websites. Only trust Apple official release.
Thanks Richard. This is what I thought was the case, and it is very easy to avoid by all but the most trusting newbies to the Mac universe. All of which means that this exploit is a non-issue for most Mac users. I only accept system updates through Apple’s Software Update or the Apple App Store, depending on which computer and OS is installed. Anyone who would accept and download an Apple system update because they received an “email from Apple” is very trusting indeed, and easily hoodwinked by hundreds, if not thousands of scammers with phishing schemes. What I don’t like about Buster’s article is that he presents the exploit without explaining the attack vector involved, thereby creating a dangerous environment that alarms but doesn’t educate.
I’ve been a Mac user since OS 6 (1989) and in all that time I’ve only fallen prey to one bit of malware that I got from a disk from a service bureau back in the 90’s, which was easily eradicated. The Windows universe is, of course, MUCH more dangerous. It explains why so many of my Windows-using friends are so paranoid about downloading and installing even Skype software. They’re petrified of messing up their systems with viruses, trojans and other malware that we Mac users have never had to deal with to any great extent.
I’m afraid Richard Liu doesn’t know what he is talking about.
From Pedro Vilaca’s blog:
“It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”
So as long as an attacker can get root access, he can install the required kernel extension, then suspend the system (sudo pmset sleepnow) to turn off the write protection and finally compromise the EFI.
Getting root access is as easy as the still not completely fixed RootPipe vulnerability, or by using a malicious installer that requests your password. There is no need for faked “system updaters”, this can be anything.