A zero-day software vulnerability discovered deep in the firmware of many Apple computers could allows an attacker to modify the system’s BIOS and install a rootkit, potentially gaining complete control of the victim’s Mac.
The critical vulnerability, discovered by well-known OS X security researcher Pedro Vilaca, affects Mac computers shipped before mid-2014 that are allowed to go into sleep mode.
While studying Mac security, Vilaca found that it’s possible to tamper with Apple computer’s UEFI (unified extensible firmware interface) code.
UEFI is a low-level firmware designed to improve upon computer’s BIOS, which links a computer’s hardware and operating system at startup and is typically not accessible to users.
Vilaca found that the machine’s UEFI code can be unlocked after a computer is put to sleep and then brought back up.
“And you ask, what the hell does this mean?” Vilaca wrote in a blog post published Friday. “It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”
With the help of various vulnerabilities regularly found in Safari and other Web browsers, it is possible for an attacker to install a rootkit, a malware type that is hard to remove and almost undetectable by security solutions.
Only Solution — Don’t let your Computer SLEEP
The only defense users can do to not let their computers go into sleep mode and always shut it down, according to Vilaca.
The attack is somewhat similar to Thunderstrike disclosed late last year by researchers named Trammel Hudson that allowed modification of the UEFI by accessing a peripheral device connected to the Mac’s Thunderbolt port.
While both the attacks give attackers the same control over a vulnerable Mac, Vilaca claims that his exploit is more dangerous, as it could be possible to exploit remotely the bug, without need of brief physical access as Thunderstrike proof-of-concept exploit did.
“The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access.”
The security researcher successfully tested his exploit on a MacBook Pro Retina, a MacBook Air and a MacBook Pro 8.2, all running the Apple latest EFI (Extensible Firmware Interface) firmware available.
The security hole discovered by Vilaca only appears on Mac computers released before mid-2014, which suggests that the company was already aware of the security bug, and instead of patching, it left all the older machines vulnerable to hackers.
It seems that the researcher did not notify Apple before disclosing the vulnerability to the public, causing many technology companies to bristle.
Most of the tech companies argue that independent security researchers should report any security issue they discover before going public, so they can stop cyber criminals from taking advantage of those loopholes.
However, Vilaca clarified that he has no issue with Apple stating, “My goal is to make OS X better and more secure.”
Apple has yet to make an official statement on the matter.