Should you fear the latest Mac firmware exploit?

A security researcher has found what he says is a deep flaw that potentially affects all Macintosh Intel models made until mid-2014, when the error he discovered appears to have been fixed. The exploit would allow, in a very particular set of combined conditions, to rewrite the boot-up firmware in a Mac to include persistent, malicious software.

Pedro Vilaca revealed the information without what is considered responsible disclosure in the security industry, in which an affected company or project is notified sufficiently far ahead of the release of information to allow them the potential to fix the problem. Apple isn't always terrific about this, but looking at the list of credited, fixed security issues in its regular updates indicates it does accept and act on reports.

In an update, he posted a feeble excuse about why he didn't tell Apple first. And I agree with his criticism about Apple not offering security patches for older Macs, some of which can't run newer versions of OS X. Apple relies on how quickly Mac users upgrade OS X when it's an option, the lifespan of older computers, and the increasingly small target of outdated Macs being worthwhile to attack.

However, some preliminary contact would have been nice to prevent tens of millions of Mac users from becoming targets before the full scope is understood and how easy it will be to exploit practically. There appears to be a bullseye, and if we're lucky, it's awfully hard to hit.

Give it the boot

No matter what sort of computer or mobile device you have, when it's first fired up from a complete "off" state, not just standby, a boot process has to go through its paces. A relatively simple piece of software stored mostly or entirely in nonvolatile memory--flash or EEPROM or other storage that isn't erased when power is removed--is executed, and that bootloader initializes hardware, may be able to interact with a keyboard or mouse, and finds the device with the operating system on it and prepares to load it and hand off control.

Macs are no different. Since the Intel transition almost a decade ago, Macs have used EFI (Extensible Firmware Interface), which is a more sophisticated successors to the long-running BIOS that booted IBM-compatible PCs, as they were once known. (Intel developed EFI, and contributed to the industry standard Unified EFI, or UEFI, which now boots nearly all new PCs.)

Apple uses a cryptographic signature to prevent firmware from being updated that the company didn't provide. Last December, Trammell Hudson unveiled a Thunderbolt-related exploit he called Thunderstrike. (He'd been providing details to Apple for some time.) His exploit required physical access to a Thunderbolt port and relied on Thunderbolt firmware being loaded while an EFI update was underway. Apple fixed this in OS X 10.10.2.

Vilaca says his exploit results from Apple failing to lock down the EFI firmware after a Mac wakes from sleep. He was able to test enough systems to believe it affects only Macs from before mid-2014, although I expect we'll get more information in the near future from other researchers and people who like to poke at this sort of problem.

The EFI could be rewritten to include every kind of snooping and zombie software, snatching all keystrokes and data or turning a computer into an unwitting slave in a distributed denial of service (DDoS) attack. Because the malware is in the EFI, reinstalling OS X or replacing the hard drive does no good. Thunderstrike showed how the system could be modified to prevent updated EFI from Apple from being installed as well.

Remote attacks seem unlikely

Vilaca noted that a remote exploit should be possible, though downplayed it, and I agree there. There's a whole cascade of what would need to happen to first make it useful for an exploit to be created and then install it on unsuspecting Macs.

Any criminal enterprise interested in this exploit has to factor in two elements: how quickly will Apple patch it (if it's ever patched) and how many potential target computers are there that could be exploited? There are conceivably tens of millions of older Macs, so that number is high. But if Apple releases a patch that works with Mavericks and Yosemite, that covers at least 80 percent of active Macs, and potentially more than 90 percent. That makes the yield likely too low to be worthwhile.

To take advantage of this exploit remotely, an attacker would have to either use an unpatched browser weakness or convince a user to install software with an administrative password. Judging by reports around free software that's repackaged with adware and malware and hosted at popular download sites, users routinely give away the keys to the kingdom. But on what scale? Probably also not enough to be worthwhile for this kind of flaw.

Earlier this year, Kaspersky Labs claimed it found malware in hard-disk firmware--the boot and operation software used on hard drives to operate and interact with a computer system. They attributed this to a government actor, widely regarded as the NSA. It's not improbable that this Apple EFI weakness, if it's as described by Vilaca, could be or has been used to target individuals. But the risk on a broad scale seems highly unlikely.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applefirmwaresecuritybootintelmalware

More about AppleHudsonIntelKasperskyMacsNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place