Security researcher and Apple hacker Pedro Vilaca has uncovered a zero-day vulnerability in Macs that allows unwanted persons to slip malware onto computers. The newly discovered security flaw apparently affects all older Macs, and builds on older flaws already uncovered by security researchers (via PC World).
After finding that is it possible to gain access to a Mac’s UEFI (unified extensible firmware interface), he was able to install a “rootkit”, a malware type that is nearly undetectable and hard to remove.
The only defense against this type of zero-day flaw is to always shut down the computer and never put it to sleep, Vilaca wrote on his blog.
A similar flaw, Thunderstrike, was discovered last December by another security researcher and presented by researcher Trammell Hudson. That scenario required physical access to the Mac.
Not this time. Vilaca thinks the security flaw can be exploited remotely, which makes it even more dangerous.
Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle, Vilaca wrote on his blog. !?#$&#%&!#%&!#
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
Wait, am I saying Macs EFI can be rootkitted from userland without all the tricks from Thunderbolt that Trammell presented? Yes I am! And that is one hell of a hole :-).
Apple has allegedly patched the Thunderstrike bug, which also allowed access to the Mac’s UEFI, but when tested, Vilaca was able to install a rootkit on all test machines released before mid-2014, running the latest EFI firmware available. Newer machines, however, weren’t affected, so Vilaca suspects Apple did manage to patch the vulnerability but left it open in older models.
Vilaca did not notify Apple before exposing this bug, so you may want to follow Vilaca’s advice and always shut down your computer.