Macs Vulnerable To Userland Injected EFI Rootkits

Bismillah writes that a new vulnerability in recent Macs — and potentially older ones — can be used to plant code such as rootkits into areas of EFI memory that shouldn't be writeable, but become unlocked after the computer wakes up from sleep mode. The article explains that [The vulnerability] appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer. Memory areas are normally locked as read-only to protect them. However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

Still needs another vulnerability

[cerberusss]

FTFA:

The researcher who discovered the flaw, Pedro Vilaça, said the vulnerability can be used to (some examples) that is invisible to the operating system in the writeable flash memory

So to summarize: as a user, you can sometimes write to EFI memory.

That's currently all there is to it. There's no rootkit, there's no malware, etc. Just this space where you can hide and survive an OS wipe and reinstall.

I'm sure some will come up with a payload that uses this space to hide itself, no doubt about it. But currently, this is all there is to it.

recent = made before mid 2014

[fpoling]

Vilaça believes Apple is aware of the issue - his testing shows the flaw is not found in the firmware of Macs made after mid 2014.