Macs vulnerable to a new root kit

Jonathan-Lee-Cunningham-with-Audrey-II-in-LITTLE-SHOP-OF-HORRORS-at-Theatre-at-the-CenterOne of the side effects of Apple Macs becoming more popular is that their token security is getting increasingly tested.

For years, Apple users smugly claimed that there were was no malware for the Mac because of Jobs’ Mob’s superior technology, while saner types suggested that there were too few macs out there for Malware writers to bother with.

There was little point doing all that coding to break into a computer which only had a Coldplay collection and a Safari web browser. That appears to be changing with hackers keener to draft Mac users into botnets on the safe basis that they will never actually believe it has happened to them.

A security researcher has discovered a new vulnerability in Apple Mac computers could be used to remotely inject persistent rootkit malware into users’ computers, providing attackers with full-system level control,

The zero day appears to be due to a bug in Apple’s sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer.

Putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

Pedro Vilaça, said the vulnerability can be used to remotely plant rootkits or persistent malware that is invisible to the operating system in the writeable flash memory, by using Apple’s Safari browser.

“A remote exploit could simply deliver a payload that will either wait or test if a previous sleep existed and machine is vulnerable, or force a sleep and wait for a wakeup to resume its work,” Vilaça told iTnews.

“After the BIOS protections are unlocked it can simply overwrite the BIOS firmware with something that contains an EFI rootkit and that’s it.”

Some extra steps may be required to achieve superuser privilege escalation to load kernel modules, but that’s not particularly complicated to do, Vilaça said.

Vilaça believes Apple knew of the issue because his testing shows the flaw is not found in the firmware of Macs made after mid-2014.  If he is right it means that Apple does not really care about those who do not upgrade their hardware every year.