Slashdot Mirror
Macs Vulnerable To Userland Injected EFI Rootkits
Bismillah writes that a new vulnerability in recent Macs — and potentially older ones — can be used to plant code such as rootkits into areas of EFI memory that shouldn't be writeable, but become unlocked after the computer wakes up from sleep mode. The article explains that [The vulnerability] appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer.
Memory areas are normally locked as read-only to protect them.
However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.
FTFA:
The researcher who discovered the flaw, Pedro Vilaça, said the vulnerability can be used to (some examples) that is invisible to the operating system in the writeable flash memory
So to summarize: as a user, you can sometimes write to EFI memory.
That's currently all there is to it. There's no rootkit, there's no malware, etc. Just this space where you can hide and survive an OS wipe and reinstall.
I'm sure some will come up with a payload that uses this space to hide itself, no doubt about it. But currently, this is all there is to it.
8 of 13 people found this answer helpful. Did you?
Vilaça believes Apple is aware of the issue - his testing shows the flaw is not found in the firmware of Macs made after mid 2014.
That way it can't be overwritten by software. Or at least require an internal jumper to be set before any writes can happen. Any user updating their BIOS would be fairly experienced so taking the lid off an setting a jumper wouldn't be a problem for them and people who arn't technical could just take it to a store.
If I'm just harvesting nodes for my botnet, macs are pretty lousy targets, no more capable than PCs and substantially more obscure.
If I'm attacking systems for the data on them, or to MiTM/trojan/keylog the users of the systems; grab banking credentials and the like; mac users are a conveniently self-selected group of people atypically worth harvesting. Sure, there are a bunch of underemployed baristas with degrees in Individuality using the macbook pro that mommy and daddy bought them to watch movies in their dorm room; but as a whole, thanks to the higher prices, users of OSX devices skew upmarket pretty substantially(iOS devices have some of the same effect; but much less, since at least an iPhone 5c or the like is probably available as the 'free'-with-usurious-contract model on most telcos).
If you are attempting a corporate/institutional intrusion, macs vary in value: they are way, way, less common, frequently absent entirely; but where they are present, their minority status often means very limited integration into the enterprise's legion of 'security' products, IDSes, and everything else that the Windows users complain is causing logins to take 30 minutes. This makes them handy 'beachhead' systems, especially if they are loaded up with Office, Adobe Malware Runtime, and similar stuff that may well have cross-platform or partially shared libraries of vulnerabilities; but much reduced vigilance on OSX clients.
Targeting OS X is tempting because of 99% of all Mac users *knows* that "Macs can't get infected" (the Apple salespeople told them so), and therefore they don't have any kind of antivirus installed.
At work, I daily deal with Mac-users who gets their mailaccounts hijacked because of infections. It takes roughly 10-20 minutes to convince them to download and run Avast or something like that, but it's worth the "oh....".
Out if interest, what "infections"? Do you have any examples. That's clearly a big issue if you're dealing with it daily. What infections are we talking about here?
Not that I'm doubting your story or anything.
(NECESSARY DISCLAIMER: I AM NOT CLAIMING THAT OS X CANNOT GET INFECTIONS)
Note that "people" are probably CIO's of Fortune 500's.
As an engineer who was doing programming and systems work in engineering, I evangelized Linux for a decade and a half at a Fortune 250. When someone in IT finally took a look at it, they, of course, demanded that it have a virus scanner. (To be fair, this was near one of the really big Windows outbreaks.) One of the AV companies had actually released a Linux version, so I just calmly told him about it, and stroked his notion that Linux was actually ready for the desktop, even though I thought the whole idea a complete waste of time. In my opinion, cleaning up whatever MIGHT have been caused by a Linux infection would never have been worth the traded performance and administrative overhead of installing it and keeping it updated.
Seems to me that this scenario might be playing out again, as OS X is actually a viable corporate desktop now. Again, I don't think the level of risk warrants the level of cost, but that's not my call. Having a "corporatized" AV (like the Symantec monstrosity that frequently stalls this high-end Dell mobile workstation) is a checkbox that would open the door to corporate deployments of Macs.
Acts 17:28, "For in Him we live, and move, and have our being."
If I had mod points, you'd have em. Institutional policy is the prime reason that AV exists for Macs. AV companies saw Macs coming into the workplace at greater rates due to the proliferation of iDevices and the frustration of using Windows 8 and decided a Mac version of their software might be profitable. No other reason than that. The primary marketing tactic from those companies was to protect your inbox so you didn't accidentally forward a PC virus along. In 8 years of Mac ownership, my AV (yes, I'm a Mac owner with AV on my system) has detected one PUP in an attachment auto-downloaded thru my mail client, and the exploit was for Win32. Job done. AV works and serves its purpose.
Now, before the torches come out and the chants of "Fanboy!" start, I am sure someone out there somewhere has a Mac virus that could spread and wreak havoc. The darker parts of the Internet know about security exploits long before most /.-ers will. That said, I don't think this exploit will turn into a pandemic precisely because of the fact that >10% of computers are Macs. Hacking is a business, granted it is a criminal business, but business economics still apply, and writing an exploit for 10% is far less profitable than writing for 90% of users. Even if that 10% are totally security unaware.
At work, I daily deal with Mac-users who gets their mailaccounts hijacked because of infections. It takes roughly 10-20 minutes to convince them to download and run Avast or something like that, but it's worth the "oh....".
How are there mail accounts being hijacked? Because, seriously, I have never heard of a problem with that using OS X Mail.app.
I have been using Macs since they were Lisas, and OS X since the DP4 Public Beta, and have never heard of a Mac having a "hijacked" email,
Nothing stops someone from reselling your email address into slavery; but seriously, I have never heard of Macs being unwitting members in a Botnet, etc.
So, what exactly do you mean by "mailaccounts [sic] hijacked"? Citation, please.
I see your education on macs and OSX is so horribly outdated that your comment is essentially useless. Many do worry about it this is why several virus scanner companies are making products for OSX. Hell you can even get a free Avast for OSX. They would not even bothered if people were not asking for it.
99.99999999999999999999999999999999% of those people are ex-Windows "Switchers"; who simply CANNOT believe that a computer system doesn't need sixteen-factors of malware protection.
Sorry. The ONLY reason why those companies are providing those AV products is to serve the perenially-paranoid.
I'm not saying that Macs CANNOT get viruses; but in over a DECADE of OS X, they just haven't. Period.