Macs Vulnerable To Userland Injected EFI Rootkits

Bismillah writes that a new vulnerability in recent Macs — and potentially older ones — can be used to plant code such as rootkits into areas of EFI memory that shouldn't be writeable, but become unlocked after the computer wakes up from sleep mode. The article explains that [The vulnerability] appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer. Memory areas are normally locked as read-only to protect them. However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

recent = made before mid 2014

[fpoling]

Vilaça believes Apple is aware of the issue - his testing shows the flaw is not found in the firmware of Macs made after mid 2014.

Re:Still needs another vulnerability

It's enough to make such a thing. Just lurk until it becomes writable, then make good use of it. Much simpler than stealing keys from the next VM over by cache-timing attacks, and we've seen those to be viable. So insisting on proof for what ought to be obvious is maybe a bit facetious.

This thing is also more indication that EFI actually makes peecees more insecure because there's another layer of software running with even more privileges than the OS itself, and it's closed-source firmware. Crappy firmware. Expect more holes to be found. Brought to you by the kings of gifts that keep on giving. And no, I don't mean just apple, far from it.

Re:Will anyone exploit it?

[Lumpy]

I see your education on macs and OSX is so horribly outdated that your comment is essentially useless. Many do worry about it this is why several virus scanner companies are making products for OSX. Hell you can even get a free Avast for OSX. They would not even bothered if people were not asking for it.

Re:Will anyone exploit it?

[Dunkirk]

Note that "people" are probably CIO's of Fortune 500's.

As an engineer who was doing programming and systems work in engineering, I evangelized Linux for a decade and a half at a Fortune 250. When someone in IT finally took a look at it, they, of course, demanded that it have a virus scanner. (To be fair, this was near one of the really big Windows outbreaks.) One of the AV companies had actually released a Linux version, so I just calmly told him about it, and stroked his notion that Linux was actually ready for the desktop, even though I thought the whole idea a complete waste of time. In my opinion, cleaning up whatever MIGHT have been caused by a Linux infection would never have been worth the traded performance and administrative overhead of installing it and keeping it updated.

Seems to me that this scenario might be playing out again, as OS X is actually a viable corporate desktop now. Again, I don't think the level of risk warrants the level of cost, but that's not my call. Having a "corporatized" AV (like the Symantec monstrosity that frequently stalls this high-end Dell mobile workstation) is a checkbox that would open the door to corporate deployments of Macs.