Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mac users exposed by zero-day vulnerability

Chris Player | June 8, 2015
A critical vulnerability affecting most Apple Mac models has been discovered that could enable attackers to overwrite firmware and gain persistent root access to computers.

A critical vulnerability affecting most Apple Mac models has been discovered that could enable attackers to overwrite firmware and gain persistent root access to computers.

Security firm, Symantec, has confirmed in a blog post the existence of the Apple Mac OS X extensible firmware interface (EFI) security vulnerability.

It was originally disclosed by the firm's security researcher, Pedro Vilaca, who discovered that a flawed energy conservation implementation left flash protections unlocked on the affected Macs after they woke up from sleep mode.

An attacker can reflash the computer's firmware to install EFI rootkit malware.

Analysis by Symantec has confirmed the existence of this vulnerability by replicating the exploit as described.

The company rated the vulnerability as critical because it can provide an attacker with persistent root access to a computer that may survive any disk wipe or operating system reinstallation.

Kaspersky Lab chairman and chief executive, Eugene Kaspersky, said Mac was certainly vulnerable to cyberattacks but these sort of attacks were less common due to the difficulty in finding qualified Mac engineers.

"There are millions of Mac users and there is a big opportunity for cybercriminals to attack Mac," he said.

"Microsoft built a great ecosystem around their products and technologies. They invested heavily in education for engineers. Apple, not so much.

"We are partners with both Apple and Microsoft and these companies behave in different ways. You do not need to knock on Microsoft's doors, they are open.

Apple is different, you have to knock, take a number, join the queue and wait. That's why there are many more Windows engineers than Mac engineers."

The weakness can be remotely exploited by an attacker if used in conjunction with another exploit that provided root access. Symantec said that while such vulnerabilities are not widespread, they do emerge from time to time.

Once an attacker has root access, the only condition required for successful exploit is that the computer enter sleep mode.

Symantec said there had been no reports of the vulnerability being exploited in the wild. However, it did stress the likelihood of attacks will increase as news spreads.

Initial reports indicate that all but the latest 2015 models of Mac appear to be affected by the vulnerability.

The firm has tested four different Mac computers. The Mac Mini 5.1 and MacBook Pro 9.2 were found to be vulnerable. The MacBook Pro 11.3 and MacBook Air 6.2 are said to be unaffected.

In his own testing, Vilaca found the MacBook Pro Retina 10.1, MacBook Pro 8.2, MacBook Air 5.1 and Mac Pro 9.1 were vulnerable to the threat.

According to Symantec, until a patch for the vulnerability is issued, users who are concerned about being targeted are advised to shut down their computers instead of using sleep mode.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.