Apple Mac persistent rootkit malware june 2015

Symantec says a critical vulnerability within some Apple Mac models could allow hackers to inject systems with persistent rootkit malware.

The security firm confirmed the existence of the security flaw late on Thursday. The flaw, called the Apple Mac OS X EFI Firmware Security Vulnerability, was originally disclosed last week by security researcher Pedro Vilaca.

The problem lies within Mac sleep mode. After Macs awake from this low-power hibernation, a flawed suspend-resume implementation means that some Mac models’ flash protections are left unlocked.

In short, cyberattackers could, in theory, reflash the computer’s firmware in this time window and install Extensible Firmware Interface (EFI) rootkit malware.

This kind of virulent malware can be used to remotely control a system and potentially steal user data — and may not be eradicated even if a system wipe is set in motion.

While this attack is unlikely to impact on users en masse, it could be exploited in order to spy upon specific, targeted users with valuable data or accounts to share.

Symantec has confirmed the existence of the vulnerability and has rated the flaw as “critical” as it can provide “an attacker with persistent root access to a computer that may survive any disk wipe or operating system reinstallation,” according to the firm.

“The vulnerability could be remotely exploited by an attacker if used in conjunction with another exploit that provided root access,” Symantec says.

“While such vulnerabilities are not widespread, they do emerge from time to time. Once an attacker has root access, the only condition required for successful exploit is that the computer enter sleep mode.”

Vilaca claims the bug can be used with Safari or another remote vector to install an EFI rootkit without physical access, and the only requirement is that the computer is suspended within the session.

To date, Symantec has tested four different Mac computer models. The security firm found that the Mac Mini 5.1 and MacBook Pro 9.2 are vulnerable, whereas the MackBook Pro 11.3 and MacBook Air 6.2 are not affected. Vilaca’s tests verified the MacBook Pro Retina 10.1, MacBook Pro 8.2, MacBook Air 5.1 and Mac Pro 9.1 are vulnerable. All computers tested ran on Apple’s latest firmware versions. Vilaca commented:

“I’m pretty sure Apple is aware of the bug or at least it would be quite irresponsible from them to not test if their BIOS implementation was vulnerable to the Dark Jedi attack. I had no issues doing PoC tests with it but definitely needs other people to test it out (at least to find which other Macs are vulnerable).”

Until such a time when Apple issues a firmware patch to fix the security flaw, concerned users are advised to shut down their computers rather than put them in sleep mode.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.