Vulnerability of non-brand-new Macs (wake from sleep exploit)

[Sydde]

Ars reports on a pretty darn scary exploit that has the potential to write to EFI firmware. More serious than that, the exploit can be installed from userland, meaning there is no need to mess around with escalation-of-privilege.

This exploit has been shown to work on all Macs older than the most recent models and requires a wake-from-sleep event to expose the vulnerability. I am not clear on whether it will be possible for Apple to issue some kind of software or firmware fix for this issue, but it sure does not look like a situation that inspires confidence in the brand. Obviously, firmware meddling survive the old "nuke-and-pave" and escapes the notice of most security inspection software, so this could be a really big problem.

 

[H00513R]

Came across this 0 day blog post today with a couple of other sites picking it up and talking about it. Seems to be only machines prior to 2014. He recommends not keeping your Mac in sleep mode, but shutting it down after each use:

https://reverse.put.as/2015/05/29/t...r-mac-firmware-security-is-completely-broken/

 

[JamesMike]

Here is a portion of the article, but I would recommend reading entire article.

"By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system."

http://arstechnica.com/security/201...ost-macs-vulnerable-to-permanent-backdooring/

 

[QCassidy352]

This is very scary. As I understand it, the entire thing could be triggered remotely, no physical access ever required. Not good.

 

[eekcat]

How is this not on the front page yet?

 

[roadbloc]

So much for being secure.

 

[keysofanxiety]

Yeah I saw this post yesterday on MalwareBytes' Facebook page. Apparently it's due to the crappy security of the EFI 1.1, which means custom firmware can be installed on the Mac -- they don't have to be signed by Apple? Not sure if anybody can confirm this. And with it being firmware it means it'll be permanently exploited; wiping & reinstalling the OS won't do anything.

Boy I hope Apple know about this or have some existing protection to prevent this from happening.

 

[jamezr]

Wow.....
Everyone assumes Macs can't get hacked or get malware. Somehow security on Macs can't be compromised.


http://arstechnica.com/security/201...ost-macs-vulnerable-to-permanent-backdooring/

 

[z31fanatic]

Wow.....
Everyone assumes Macs can't get hacked or get malware.

Not everyone. Only the uninformed and the blind fanatics assume that.

 

[MacFever]

I'm very surprised that Apple seems to be taking it's time in releasing a fix for this...or did they know about it and said nothing which would require you to buy a new machine 2014 and onwards to keep the stocks up. It's unbelievable what seems to be the lack of urgency on Apple's behalf to address the issue that will backfire on them if they don't wake up from decorating the Moscone building. priorities are in reverse. Steve would not allow this to happen or continue without fix.

and the mac communities don't seem to really care. lol everyone is on about their phones/watches.

http://arstechnica.com/security/201...ost-macs-vulnerable-to-permanent-backdooring/

 

[sim667]

Good luck getting any wake from sleep working on macs with yosemite, apple totally trashed something that worked really well when yosemite was released.

 

[Sydde]

Does this mean that an enemy could brick your computer with minimal effort?

And, if Apple can issue a fix, will they allow it to be installed on the holdouts who still use 10.6?

 

[satcomer]

I practice now a better way to protect my Mac. I disconnect the Ethernet cable before sleeping the Mac Pro.

 

[Sydde]

Or you could use an iPad for all your browsing and airdrop any files you need onto the Mac.

 

[minifridge1138]

No word from Apple. This is getting sad...

 

[Mr. Retrofire]

No word from Apple. This is getting sad...

Apple updated the EFI firmware of all Early-2011 and newer Macs:
https://support.apple.com/en-us/HT204934

Download:
https://support.apple.com/en-us/HT201518

The firmware is only available for newer OS X versions (10.8.5+).

 

[minifridge1138]

Apple updated the EFI firmware of all Early-2011 and newer Macs:
https://support.apple.com/en-us/HT204934

Download:
https://support.apple.com/en-us/HT201518

The firmware is only available for newer OS X versions (10.8.5+).

That confuses me. A firmware update should be tied to the hardware, not the OS being run.

Edit: I just checked the firmware section of the 4,1 Mac Pro and it is unchanged. That makes me wonder if this is more of an OS patch than firmware update.

 

[Mr. Retrofire]

...Edit: I just checked the firmware section of the 4,1 Mac Pro and it is unchanged. That makes me wonder if this is more of an OS patch than firmware update.

It is a pure EFI update. And btw, your Mac is older than Early-2011, so that you do not get the EFI security update.

 

[Sydde]

It seems as though an OS patch might be appropriate, if the can close the post-sleep attack window (restart threads carefully or something) and prevent sleep from being initiated by just any old process.

 

[Mr. Retrofire]

@Sydde: I think the new firmware locks previously unlocked areas (some special CPU registers and the EFI firmware itself).

 

[subsonix]

More serious than that, the exploit can be installed from userland, meaning there is no need to mess around with escalation-of-privilege.

This isn't the case, later in the article this is mentioned: "To work, an exploit would require a vulnerability that provides the attacker with unfettered "root" access to OS X resources." so you'd still need to have an exploit and a way to escalate privileges to root.

The issue is that it's possible to update the firmware at all from the OS I believe.