Apple Under Fire: Mac Zero-day Exploits Hit the Web and Firmware Worm Threat Looms

Last month security researcher Stefan Esser released details of a proof-of-concept attack against a zero-day vulnerability that resided within OS X Yosemite. The flaw makes it possible for attackers to increase their privileges on a Mac and take complete control.

Fortunately, the flaw is fixed within the most recent beta version of Apple’s upcoming OS X El Capitan.

But that’s of little consolation to current users of Yosemite. A kernel extension that purports to shield users from the flaw, SUIDGuard, available on GitHub, has been released by Esser’s employer SektionEins.

The security firm announced yesterday that it identified the attack underway “in the wild,” making the patch from Apple much more urgent than it was previously.

Until Apple releases a patch, it’s important users don’t click on any links they don’t trust.

Tomorrow, at the Black Hat security conference, security researchers will release details on the attack, dubbed Thunderstrike 2 – a worm that can infect Apple Macs at a very low level.

The attack is an enhancement on a firmware attack that was announced earlier this year. The researchers – Xeno Kovah and Corey Kallenberg from LegbaCore, as well as Trammell Hudson from Two Sigma Investments – demonstrated how infected or maliciously tailored devices could infect the firmware of a Mac by connecting through Apple’s Thunderbolt interface.

Apple patched a number of the flaws that make the firmware attack possible, but not all of them, according to Hudson.

The new attack doesn’t require physical access. Attackers can exploit the firmware vulnerability in Thunderbolt devices via a phishing attack or malicious website. When a Thunderbolt device becomes infected it can infect any Mac that accesses it thereafter.

Such firmware attacks can be especially nasty. Anti-virus software has a difficult time scanning the firmware level of devices and can’t cleanse the firmware of a known infection. The firmware has to be reprogrammed in order to disinfect the machine. Not fun.

While firmware attacks against PCs have become increasingly common, attacks targeting Macs have always required the attacker have direct physical access to the machine. While helpful for some type of attackers, remotely exploitable vulnerabilities are where most of the action is. According to the security research trio’s Black Hat talk description, when contacted about previously disclosed PC firmware attacks, “Apple systematically declared themselves not vulnerable.”

Turns out that was overconfident. Kovah, Kallenberg, and Hudson will demonstrate that Macs are vulnerable to firmware attacks tomorrow.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: