Macs vulnerable to same remote firmware exploits as Windows PCs, researchers find
Macs can still be successfully attacked using some of the same firmware vulnerabilities affecting many Windows PCs, a new proof-of-concept worm is said to demonstrate.
Superficially, the new attack -- dubbed Thunderstrike 2 -- appears similar to the namesake Thunderstrike vulnerability found last year and likely relies on some of the same attack vectors. It was created by security reseachers Trammell Hudson, who first discovered Thunderstrike, and Xeno Kovah, Wired reported on Monday.
Worryingly, the proof-of-concept worm could transfer automatically between two Macs without them being networked. It would escape direction by most scanning software, and even survive reformatting, leaving a "scorched earth" approach -- re-flashing firmware chips -- as the only method of mitigation.
The code is based on research conducted by Kovah's LegbaCore consultancy last year, which discovered possible firmware exploits in PCs by companies like Dell, HP, and Lenovo. Five out of six them are potentially applicable to Macs, Kovah said, because computer makers including Apple tend to rely on the same reference implementations.
Apple has been notified of the gaps and reportedly patched one while partially fixing a second. There is no word on whether those fixes include the changes made in OS X 10.10.2 to address Thunderstrike, or are separate updates.
Thunderstrike 2 targets the option ROM on peripherals like Ethernet adapters and SSDs, and can be spread by connecting an infected device to a Mac. An initial attack could be delivered via an email or malicious website however, and the researchers suggested that computer makers should be cryptographically signing firmware and upgrading their hardware to allow authentication. Write-protect switches might also theoretically improve protection, as could a tool for users to check if firmware has been changed.
The researchers are scheduled to share more details at this year's Black Hat USA security conference on August 6.
Superficially, the new attack -- dubbed Thunderstrike 2 -- appears similar to the namesake Thunderstrike vulnerability found last year and likely relies on some of the same attack vectors. It was created by security reseachers Trammell Hudson, who first discovered Thunderstrike, and Xeno Kovah, Wired reported on Monday.
Worryingly, the proof-of-concept worm could transfer automatically between two Macs without them being networked. It would escape direction by most scanning software, and even survive reformatting, leaving a "scorched earth" approach -- re-flashing firmware chips -- as the only method of mitigation.
The code is based on research conducted by Kovah's LegbaCore consultancy last year, which discovered possible firmware exploits in PCs by companies like Dell, HP, and Lenovo. Five out of six them are potentially applicable to Macs, Kovah said, because computer makers including Apple tend to rely on the same reference implementations.
Apple has been notified of the gaps and reportedly patched one while partially fixing a second. There is no word on whether those fixes include the changes made in OS X 10.10.2 to address Thunderstrike, or are separate updates.
Thunderstrike 2 targets the option ROM on peripherals like Ethernet adapters and SSDs, and can be spread by connecting an infected device to a Mac. An initial attack could be delivered via an email or malicious website however, and the researchers suggested that computer makers should be cryptographically signing firmware and upgrading their hardware to allow authentication. Write-protect switches might also theoretically improve protection, as could a tool for users to check if firmware has been changed.
The researchers are scheduled to share more details at this year's Black Hat USA security conference on August 6.
Comments
If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation. So for just about everyone concerned, it's a non-issue.
It's great that Apple is taking care of the flaws. It'll be patched before anything can happen. Poor PC folks though. Good luck getting any support for their system.
"An initial attack could be delivered via an email or malicious website however"
Well yeah... b/c technically speaking, anything that has a user and it connected to the internet is vulnerable. This is no such thing as 100% protection. Thats why I have a job in I.T.
This isn't really news.
Is it the same thing? Perhaps AI got the story wrong then.
"An initial attack could be delivered via an email or malicious website however"
I'm confused... yeah, I don't know know. "Could be spread by email" sounds a little vague to me for some reason. It either can, or cannot be. I think the article could be better written. There's some specifics missing.
If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation. So for just about everyone concerned, it's a non-issue.
It's not, remote infection is possible, via website access, email etc.
Seems this is most likely to have been used by our great NSA than anyone else.
I wonder how long before we have those notiously insecure IoT devices being used as a router for this sort of attack.
Infect an IoT device with code to enable it to store and pass on the infection to PC's and Mac's.
The more devices we have connected to our home networks the more vunerable we all become.
No IoT device is coing to be connected to my home network. No Streaming Videos to my smart TV.
But to be honest how many of the general public will even care if they get infected with sort of bad stuff?
practically speaking...should we be concerned?
Practically speaking we should not be concerned at all. For years we’ve been treated to these doomsday scenarios by security ‘researchers’ and there is not one scintilla of evidence to suggest that any of this stuff has gained wide spread traction. It comes, people get nervous and wring their hands in anxiety, the security paranoids bloviate that we are all doomed, then it all goes way and nothing comes of it EVER!
Look at the recent explosion of paranoia over the Android ‘Stage Fright’ vulnerability. It was trumpeted that 95% of all Android users were about to get creamed and destroyed in the coming Stage Fright apocalypse. Gone from the headlines totally. Remember the special text message that could ‘crash’ an iPhone leading to execution of malicious code. That lasted about a day or two as my son’s workplace colleagues started sending each other the special text and laughing their asses off. Then it went away and hasn’t been heard of since.
I’m sure the NSA, the CIA, and other ‘agencies’ tuck this stuff away for possible use on a high value target but you sitting your den placing your Amazon order, not important enough to bother with.
I wonder how long before we have those notiously insecure IoT devices being used as a router for this sort of attack.
Infect an IoT device with code to enable it to store and pass on the infection to PC's and Mac's.
The more devices we have connected to our home networks the more vunerable we all become.
No IoT device is coing to be connected to my home network. No Streaming Videos to my smart TV.
But to be honest how many of the general public will even care if they get infected with sort of bad stuff?
Paranoid nonsense. Vulnerable to what exactly? The neighbor kid hacking the fridge and ordering more pizza? Ha,ha, ha!
If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation. So for just about everyone concerned, it's a non-issue.
It's great that Apple is taking care of the flaws. It'll be patched before anything can happen. Poor PC folks though. Good luck getting any support for their system.
Except it's not.
"This is the second Thunderstrike exploit to target Macs. The first version was fixed with OS X 10.10.2 and required the hacker to have physical access to the computer. This new version is more nefarious because the malware can be delivered via a link." - Engadget
Cheap aftermarket Thunderbolt accessories are especially suspect. For peace of mind, look no further than Apple branded Thunderbolt accessories.
http://www.macrumors.com/2015/08/03/thunderstrike-2-first-mac-firmware-worm/
Is there a way to find out if your machine is infected by Thunderstrike 2?
There used to be a time when applying firmware updates on a Mac required restarting and then holding down the power button until you hear a loud beep. Why was this changed?