Mac users exposed by zero-day vulnerability

Attackers able to overwrite firmware and gain persistent root access to computers

A critical vulnerability affecting most Apple Mac models has been discovered that could enable attackers to overwrite firmware and gain persistent root access to computers.

Security firm, Symantec, has confirmed in a blog post the existence of the Apple Mac OS X extensible firmware interface (EFI) security vulnerability.

It was originally disclosed by the firm’s security researcher, Pedro Vilaca, who discovered that a flawed energy conservation implementation left flash protections unlocked on the affected Macs after they woke up from sleep mode.

An attacker can reflash the computer’s firmware to install EFI rootkit malware.

Analysis by Symantec has confirmed the existence of this vulnerability by replicating the exploit as described.

The company rated the vulnerability as critical because it can provide an attacker with persistent root access to a computer that may survive any disk wipe or operating system reinstallation.

Kaspersky Lab chairman and chief executive, Eugene Kaspersky, said Macs were certainly vulnerable to cyberattacks but these sort of attacks were less common due to the difficulty in finding qualified Mac engineers.

“There are millions of Mac users and there is a big opportunity for cybercriminals to attack Mac,” he said.

“Microsoft built a great ecosystem around their products and technologies. They invested heavily in education for engineers. Apple, not so much.

“We are partners with both Apple and Microsoft and these companies behave in different ways. You do not need to knock on Microsoft’s doors, they are open.

"Apple is different, you have to knock, take a number, join the queue and wait. That’s why there are many more Windows engineers than Mac engineers.”

Symantec has also said that while such vulnerabilities are not widespread, they do emerge from time to time.

The weakness can be remotely exploited by an attacker if used in conjunction with another exploit that provided root access.

Read more: Free upgrade to Windows 10 for computers up to 6 years old

Once an attacker has root access, the only condition required for successful exploit is that the computer enter sleep mode.

Symantec said there had been no reports of the vulnerability being exploited in the wild. However, it did stress the likelihood of attacks will increase as news spreads.

Initial reports indicate that all but the latest 2015 models of Mac appear to be affected by the vulnerability.

The firm has tested four different Mac computers. The Mac Mini 5.1 and MacBook Pro 9.2 were found to be vulnerable. The MacBook Pro 11.3 and MacBook Air 6.2 are said to be unaffected.

In his own testing, Vilaca found the MacBook Pro Retina 10.1, MacBook Pro 8.2, MacBook Air 5.1 and Mac Pro 9.1 were vulnerable to the threat.

According to Symantec, until a patch for the vulnerability is issued, users who are concerned about being targeted are advised to shut down their computers instead of using sleep mode.

Affected Mac users are advised to keep their software up to date since remote exploit of this vulnerability needs to be performed in conjunction with another vulnerability that will provide remote root access.

The firm said updating software will prevent attacks using known exploits. Symantec said analysis of the vulnerability is ongoing and further updates may be published if new information is uncovered.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags kaspersky labsMaczero-day exploitsAppleeugene kasperskysymantecMicrosoftWindows

More about AppleKasperskyMacsMicrosoftSymantec

Show Comments

Market Place