A zero-day vulnerability in the Mac OS X firmware has left millions of Apple computers vulnerable to an attack that could overwrite the system’s BIOS and install a rootkit, gaining full control over the system.
The latest uncovered vulnerability lies within the UEFI (unified extensible firmware interface) system on a number of older Macbook laptops, discovered by security researcher Pedro Vilaca, after his Macbook had fallen asleep and been turned back on, he found the machine’s low-level firmware to be left unlocked and vulnerable.
“And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access,” Vilaca wrote in his blog post detailing the Mac OS X vulnerability.
Carrying out the OS X attack is similar to a previous flaw known as Thunderstrike, a vulnerability disclosed last year that allowed a researcher to deliver a bootkit through a peripheral device connected to the Thunderbolt port on the physical machine.
The attack developed by the researcher Trammel Hudson, could install malware on the system and survive and entire OS wipe and re-install, similar to Viliaca’s discovery.
“Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said, speaking on Thunderstrike back in January. “It can’t be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won’t remove it. Replacing the SSD won’t remove it since there is nothing stored on the drive.”
However, Vilaca said his vulnerability is far more concerning than the Thunderstrike attack, stating that anyone who can exploit Thunderstrike can easily exploit his latest OS X flaw too. Vilaca said his attack is far more powerful as it has remote attack vectors, as the later attack requires physical access to the machine.
During Vilaca’s testing, he was able to execute the attacks on a MacBook Pro Retina, a Macbook Pro 8.2 and a Macbook Air, running all the latest versions of the EFI (Extensible Firmware Interface). The vulnerability was easily exploit Vilaca said, stating that if you had a remote-exploit alongside this, it could be exploited remotely.
“The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access,” he said. Along with the help of vulnerabilities regularly identified in Safari among other web browsers, it’s possible for an attacker to install a low-level rootkit.
Vilaca said Apple may know of the vulnerability, because machines sold past mid 2014 were not found vulnerable to the exploit. Though Apple did not make any public comment regarding the possible patch.
There is only one way to prevent your Mac OS X version from becoming vulnerable, you can never turn your computer to sleep and must always shut it down.