Follow Us on WhatsApp | Telegram | Google News

Apple Macs Vulnerable to EFI Zero-Day

Table of Contents
A new vulnerability in Apple Mac computers could be used to remotely inject persistent rootkit malware into users' computers, providing attackers with full-system level control, a security researcher has discovered.

A well-known OS X security researcher Pedro Vilaca, found this critical bug in the older Apple computers which are shipped prior to the middle of 2014. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system.

It appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writable from user accounts on the computer.

This newly bug is more serious than the Thunderstrike which was discovered late last year. As both the  bug give a attacker the same persistent and low-level control of a Mac, but the new bug didn't required any physical access to the attacker as like ThunderStrike. 

Vilaca said - 
"A remote exploit could simply deliver a payload that will either wait or test if a previous sleep existed and machine is vulnerable, or force a sleep and wait for a wakeup to resume its work,"
"After the BIOS protections are unlocked it can simply overwrite the BIOS firmware with something that contains an EFI rootkit and that's it.

" BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates." - he added.
To work, an exploit would require a vulnerability that provides the attacker with unfettered "root" access to OS X resources. Such vulnerabilities aren't always easy to find, but they're by no means impossible, as demonstrated by the Rootpipe privilege escalation bug that came to light late last year. Vilaca said a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack.

Vilaca had confirmed his attack works against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. He said Macs released since mid to late 2014 appear to be immune to the attacks.

As this is Zero-Day vulnerability, so there is no patch available till yet. Apple team have also not commented on this issue, but the team will soon released a patch for this, 
Read Also
Post a Comment