Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Should you fear the latest Mac firmware exploit?

Glenn Fleishman | June 5, 2015
A security researcher has found what he says is a deep flaw that potentially affects all Macintosh Intel models made until mid-2014, when the error he discovered appears to have been fixed. The exploit would allow, in a very particular set of combined conditions, to rewrite the boot-up firmware in a Mac to include persistent, malicious software.

A security researcher has found what he says is a deep flaw that potentially affects all Macintosh Intel models made until mid-2014, when the error he discovered appears to have been fixed. The exploit would allow, in a very particular set of combined conditions, to rewrite the boot-up firmware in a Mac to include persistent, malicious software.

Pedro Vilaca revealed the information without what is considered responsible disclosure in the security industry, in which an affected company or project is notified sufficiently far ahead of the release of information to allow them the potential to fix the problem. Apple isn't always terrific about this, but looking at the list of credited, fixed security issues in its regular updates indicates it does accept and act on reports.

In an update, he posted a feeble excuse about why he didn't tell Apple first. And I agree with his criticism about Apple not offering security patches for older Macs, some of which can't run newer versions of OS X. Apple relies on how quickly Mac users upgrade OS X when it's an option, the lifespan of older computers, and the increasingly small target of outdated Macs being worthwhile to attack.

However, some preliminary contact would have been nice to prevent tens of millions of Mac users from becoming targets before the full scope is understood and how easy it will be to exploit practically. There appears to be a bullseye, and if we're lucky, it's awfully hard to hit.

Give it the boot

No matter what sort of computer or mobile device you have, when it's first fired up from a complete "off" state, not just standby, a boot process has to go through its paces. A relatively simple piece of software stored mostly or entirely in nonvolatile memory — flash or EEPROM or other storage that isn't erased when power is removed — is executed, and that bootloader initializes hardware, may be able to interact with a keyboard or mouse, and finds the device with the operating system on it and prepares to load it and hand off control.

Macs are no different. Since the Intel transition almost a decade ago, Macs have used EFI (Extensible Firmware Interface), which is a more sophisticated successors to the long-running BIOS that booted IBM-compatible PCs, as they were once known. (Intel developed EFI, and contributed to the industry standard Unified EFI, or UEFI, which now boots nearly all new PCs.)

Apple uses a cryptographic signature to prevent firmware from being updated that the company didn't provide. Last December, Trammell Hudson unveiled a Thunderbolt-related exploit he called Thunderstrike. (He'd been providing details to Apple for some time.) His exploit required physical access to a Thunderbolt port and relied on Thunderbolt firmware being loaded while an EFI update was underway. Apple fixed this in OS X 10.10.2.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.