Macs vulnerable to same remote firmware exploits as Windows PCs, researchers find
Macs can still be successfully attacked using some of the same firmware vulnerabilities affecting many Windows PCs, a new proof-of-concept worm is said to demonstrate.
Superficially, the new attack — dubbed Thunderstrike 2 — appears similar to the namesake Thunderstrike vulnerability found last year and likely relies on some of the same attack vectors. It was created by security reseachers Trammell Hudson, who first discovered Thunderstrike, and Xeno Kovah, Wired reported on Monday.
Worryingly, the proof-of-concept worm could transfer automatically between two Macs without them being networked. It would escape direction by most scanning software, and even survive reformatting, leaving a "scorched earth" approach — re-flashing firmware chips — as the only method of mitigation.
The code is based on research conducted by Kovah's LegbaCore consultancy last year, which discovered possible firmware exploits in PCs by companies like Dell, HP, and Lenovo. Five out of six them are potentially applicable to Macs, Kovah said, because computer makers including Apple tend to rely on the same reference implementations.
Apple has been notified of the gaps and reportedly patched one while partially fixing a second. There is no word on whether those fixes include the changes made in OS X 10.10.2 to address Thunderstrike, or are separate updates.
Thunderstrike 2 targets the option ROM on peripherals like Ethernet adapters and SSDs, and can be spread by connecting an infected device to a Mac. An initial attack could be delivered via an email or malicious website however, and the researchers suggested that computer makers should be cryptographically signing firmware and upgrading their hardware to allow authentication. Write-protect switches might also theoretically improve protection, as could a tool for users to check if firmware has been changed.
The researchers are scheduled to share more details at this year's Black Hat USA security conference on August 6.