Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Macs vulnerable to same remote firmware exploits as Windows PCs, researchers find

Macs can still be successfully attacked using some of the same firmware vulnerabilities affecting many Windows PCs, a new proof-of-concept worm is said to demonstrate.

Superficially, the new attack — dubbed Thunderstrike 2 — appears similar to the namesake Thunderstrike vulnerability found last year and likely relies on some of the same attack vectors. It was created by security reseachers Trammell Hudson, who first discovered Thunderstrike, and Xeno Kovah, Wired reported on Monday.

Worryingly, the proof-of-concept worm could transfer automatically between two Macs without them being networked. It would escape direction by most scanning software, and even survive reformatting, leaving a "scorched earth" approach — re-flashing firmware chips — as the only method of mitigation.

The code is based on research conducted by Kovah's LegbaCore consultancy last year, which discovered possible firmware exploits in PCs by companies like Dell, HP, and Lenovo. Five out of six them are potentially applicable to Macs, Kovah said, because computer makers including Apple tend to rely on the same reference implementations.

Apple has been notified of the gaps and reportedly patched one while partially fixing a second. There is no word on whether those fixes include the changes made in OS X 10.10.2 to address Thunderstrike, or are separate updates.

Thunderstrike 2 targets the option ROM on peripherals like Ethernet adapters and SSDs, and can be spread by connecting an infected device to a Mac. An initial attack could be delivered via an email or malicious website however, and the researchers suggested that computer makers should be cryptographically signing firmware and upgrading their hardware to allow authentication. Write-protect switches might also theoretically improve protection, as could a tool for users to check if firmware has been changed.

The researchers are scheduled to share more details at this year's Black Hat USA security conference on August 6.



19 Comments

schlack 732 comments · 11 Years

practically speaking...should we be concerned?

gatorguy 24627 comments · 13 Years

[quote name="schlack" url="/t/187465/macs-vulnerable-to-same-remote-firmware-exploits-as-windows-pcs-researchers-find#post_2756177"]practically speaking...should we be concerned?[/quote]IMHO it's like a recent vulnerability found on another companies platform. Until the details are announced(the upcoming Blackhat in both cases) it's hard to know just how easy it is to take advantage of. Even then it doesn't mean there's necessarily going to be real-world repercussions. I'd say it's too early to start worrying. Stuff like this comes around a few times a year, but seldom followed up with actual damage reports that amount to much of anything.

sflocal 6138 comments · 16 Years

If it's just like the original Thunderstrike, it requires physical access to the computer as it uses a flaw in the Thunderbolt implementation.  So for just about everyone concerned, it's a non-issue.

It's great that Apple is taking care of the flaws.  It'll be patched before anything can happen.  Poor PC folks though.  Good luck getting any support for their system.

gatorguy 24627 comments · 13 Years

[quote name="sflocal" url="/t/187465/macs-vulnerable-to-same-remote-firmware-exploits-as-windows-pcs-researchers-find#post_2756191"]If it's just like the original Thunderstrike, it requires physical access to the computer . . . [/quote] Is it the same thing? Perhaps AI got the story wrong then. "An initial attack could be delivered via an email or malicious website however"

prince brian 19 comments · 10 Years

Well yeah... b/c technically speaking, anything that has a user and it connected to the internet is vulnerable. This is no such thing as 100% protection. Thats why I have a job in I.T. 

 

This isn't really news.