Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why you shouldn't freak out about this week's scary-sounding Mac exploits

Glenn Fleishman | Aug. 7, 2015
One set of researchers explains how a modification to your Macintosh's boot-up firmware can persist undetectably and spread through peripherals to other computers. Another researcher's work from a month ago is found in the wild, installing adware through a hidden escalation in user privileges. Both sound terrible, but neither is quite what it seems.

Third, I assumed it was the sort of thing that would be quickly patched, because it's such a trivial error, rather than a deeply nested part of OS X that would require new plumbing. In fact, Apple had received a report well before Esser's disclosure, and was already working on the problem.

Unfortunately, before Apple made the fix, malware was discovered in the wild this week in an adware installer--that's an installer for legitimate software that also adds adware with affiliate programs. These malicious installers don't hack a computer, so much as provide a revenue stream for those who release them.

Apple tells me that the latest developer beta of 10.10.5 contains the fix, which Esser confirmed a few days ago; OS X 10.11 El Capitan approaches this particular feature differently, and didn't suffer from the flaw. The date for 10.10.5's release wasn't disclosed.

The adware installer found in the wild that exploits this flaw used a signed developed certificate, which Apple has revoked. Apple has further added a signature to XProtect, its anti-malware database, which should be updated by this writing to prevent the original installer and ones using similar code from running.

Esser isn't wrong to be frustrated at the uneven pace by which Apple fixes system flaws. The company is sometimes lightning fast, and sometimes lets issues lag for months or longer. But it's hard to support this form of disclosure unless one is certain Apple is ignoring the problem because Apple certainly isn't harmed in any substantive way by being "punished" with no advance warning. Users are.

Giving it the boot

Also this week, researchers said they had found vulnerabilities in Apple's bootloader software, EFI (Extensible Firmware Interface), different forms of which are widely used for all modern personal computers, whether they run OS X, Windows, or a Unix variant. EFI resides in firmware, and launches when a computer is powered up or restarted, initializing hardware and loading the operating system. (In the not-that-long-ago days, the PC world used BIOS, for basic input/output system, which EFI replaces.)

One of the two researchers demonstrated Thunderstrike earlier this year, a way of modifying EFI firmware through Thunderbolt hardware, which can contain the equivalent of firmware extensions via built-in option ROMs. Option ROMs are designed to extend EFI to support specific hardware features--hence the term "extensible" in EFI's name. Not enough checking was done to prevent malicious software from running and patching EFI. The 10.10.2 update closed the hole that allowed Thunderstrike to work, but researcher Trammell Hudson said months ago that other vulnerabilities remain if one can gain physical access to a Mac.

He and Xeno Kovah plan to show a demonstration of Thunderstrike 2 this week in Las Vegas at the Def Con computer security conference. This variant takes a different approach to the same sort of attack, and more worryingly can spread as a worm among infected devices. However, it still requires several steps to accomplish its task.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.