Posted on 06/04/2015 5:37:57 PM PDT by Swordmaker
A security researcher has found what he says is a deep flaw that potentially affects all Macintosh Intel models made until mid-2014, when the error he discovered appears to have been fixed. The exploit would allow, in a very particular set of combined conditions, to rewrite the boot-up firmware in a Mac to include persistent, malicious software.
Pedro Vilaca revealed the information without what is considered responsible disclosure in the security industry, in which an affected company or project is notified sufficiently far ahead of the release of information to allow them the potential to fix the problem. Apple isn’t always terrific about this, but looking at the list of credited, fixed security issues in its regular updates indicates it does accept and act on reports.
In an update, he posted a feeble excuse about why he didn’t tell Apple first. And I agree with his criticism about Apple not offering security patches for older Macs, some of which can’t run newer versions of OS X. Apple relies on how quickly Mac users upgrade OS X when it’s an option, the lifespan of older computers, and the increasingly small target of outdated Macs being worthwhile to attack.
However, some preliminary contact would have been nice to prevent tens of millions of Mac users from becoming targets before the full scope is understood and how easy it will be to exploit practically. There appears to be a bullseye, and if we’re lucky, it’s awfully hard to hit.
Give it the boot
No matter what sort of computer or mobile device you have, when it’s first fired up from a complete “off” state, not just standby, a boot process has to go through its paces. A relatively simple piece of software stored mostly or entirely in nonvolatile memory—flash or EEPROM or other storage that isn’t erased when power is removed—is executed, and that bootloader initializes hardware, may be able to interact with a keyboard or mouse, and finds the device with the operating system on it and prepares to load it and hand off control.
Macs are no different. Since the Intel transition almost a decade ago, Macs have used EFI (Extensible Firmware Interface), which is a more sophisticated successors to the long-running BIOS that booted IBM-compatible PCs, as they were once known. (Intel developed EFI, and contributed to the industry standard Unified EFI, or UEFI, which now boots nearly all new PCs.)
Apple uses a cryptographic signature to prevent firmware from being updated that the company didn’t provide. Last December, Trammell Hudson unveiled a Thunderbolt-related exploit he called Thunderstrike. (He’d been providing details to Apple for some time.) His exploit required physical access to a Thunderbolt port and relied on Thunderbolt firmware being loaded while an EFI update was underway. Apple fixed this in OS X 10.10.2.
Vilaca says his exploit results from Apple failing to lock down the EFI firmware after a Mac wakes from sleep. He was able to test enough systems to believe it affects only Macs from before mid-2014, although I expect we’ll get more information in the near future from other researchers and people who like to poke at this sort of problem.
The EFI could be rewritten to include every kind of snooping and zombie software, snatching all keystrokes and data or turning a computer into an unwitting slave in a distributed denial of service (DDoS) attack. Because the malware is in the EFI, reinstalling OS X or replacing the hard drive does no good. Thunderstrike showed how the system could be modified to prevent updated EFI from Apple from being installed as well.
Remote attacks seem unlikely
Vilaca noted that a remote exploit should be possible, though downplayed it, and I agree there. There’s a whole cascade of what would need to happen to first make it useful for an exploit to be created and then install it on unsuspecting Macs.
Any criminal enterprise interested in this exploit has to factor in two elements: how quickly will Apple patch it (if it’s ever patched) and how many potential target computers are there that could be exploited? There are conceivably tens of millions of older Macs, so that number is high. But if Apple releases a patch that works with Mavericks and Yosemite, that covers at least 80 percent of active Macs, and potentially more than 90 percent. That makes the yield likely too low to be worthwhile.
To take advantage of this exploit remotely, an attacker would have to either use an unpatched browser weakness or convince a user to install software with an administrative password. Judging by reports around free software that’s repackaged with adware and malware and hosted at popular download sites, users routinely give away the keys to the kingdom. But on what scale? Probably also not enough to be worthwhile for this kind of flaw.
Earlier this year, Kaspersky Labs claimed it found malware in hard-disk firmware—the boot and operation software used on hard drives to operate and interact with a computer system. They attributed this to a government actor, widely regarded as the NSA. It’s not improbable that this Apple EFI weakness, if it’s as described by Vilaca, could be or has been used to target individuals. But the risk on a broad scale seems highly unlikely.
If you want on or off the Mac Ping List, Freepmail me.
Let's get this FREEPATHON DONE. . . All Apple users, I challenge you to support Freerepublic with at least a $10 donation to keep our favorite conservative website operational so that we can make a difference in our beloved country. Best plan is to become a monthly or quarterly donor. Dig deep and let's make it happen!
Wow, major cheap shot and Apple bootlicking. This guy finds something EVERYONE mised literally for decades, and HE'S the one endangering tens of millions of Mac users by notifying them of it without first notifying Apple? Oh yeah, because everything must go to corporate Massa first, and then that monolithic non-responsibility corporation will, of "it's" own initiative, when "it" decides to, without taking any responsibility and - heaven forbid - actually assigning any blame to any actual human beings, MAYBE let users know, depending on advice from it's massive legal team.
And he even let Apple know that it's precisely BECAUSE of this imperious, calculated behavior multiple times in the past that he decided it could not be trusted with this information, for fear it would bury it.
So a little bootlicker writer is paid to claim that, AT THE SAME TIME, this investigator (not Apple, never Apple) endangered tens of millions of people by not kneeling first to Apple Corporate, over something Apple claims is actually no threat at all, nothing to see, move along, the odds are that the Great Pyramid will start flying around on it's own before this flaw is ever exploited by anyone.
Both.
Thus, of course, proving Pedro Vilaca's point about how Apple covers it's ass FIRST, and deals with any threats to users second.
I just got a message that I will get a free Windows 10 from Microsoft beginning on July 29.
I wonder why I was picked? It may be that I have a refurbished computer which now has had two Windows programs purchased for it. I guess they doubt I will buy another one plus this one may not last much longer.
The one I am using right now did not get the offer but it was bought new.
Forget Windows 10, even if ‘free’, and put OSX into all of your PCs.
;)
Windows 10 is going to be free for everyone for a while. It's not that you are special that they want to torture just you. They are a non-discriminatory torture company: they inflict their beta version on everyone.
No, Talisker, you are wrong. The standard in the security industry is to inform the company who can fix the vulnerability before you publish the find so that hackers cannot do the very expensive damage they are noted for with a vulnerability that many of them are incapable of finding on their own. Vilaca broke the rules of proper behavior for such finds and those who published it did as well. The normal procedure is to give the publisher of the software approximately three months to address the issue before you go public with a zero-day vulnerability after you notify them. This asshat was in such a rush to announce it, he did not even bother to notify Apple before he made his presentation. . . no notice at all.
This means that there are millions of innocent people who could be hacked because he was arrogant. He IS the one who is endangering the tens of millions of users. Without him, this unfound vulnerability could have gone unfound for years more. . . or it could have been quietly fixed before the hacker community ever got wind of it and then announced, which is the normal way these vulnerabilities are handled. But NO, he had to have his fifteen minutes of notoriety instead of a footnote in security annals. He IS reprehensible.
I signed up also. Look forward to it too. I’ll keep my Win7 images handy, just in case.;-)
I got that also. If it is free for a year I wonder why they are trying to get you to reserve it.
Industry standards are conditional, and he specified mistrust in Apple's honesty based on their past actions. That's his call. If Apple wants more trust, they should show more goodwill to earn it. Their mere desires comprise no moral law.
In addition, and as I already pointed out, you can't have it both ways. Either it is a vulnerability that is trivial, as you have already claimed, OR it is a serious screwup for which Apple should take full responsibility.
But blaming the investigator for a hideous crime while denying any seriousness is rank hypocrisy. It's also a false claim by Apple to be the arbiter of propriety, when in fact it was the mistrust generated by their own denial and arrogance that caused the general release of the information in the first place.
As I said before, it's a cheap shot by Apple.
That is not his call. . . and Apple has handled these vulnerabilities. If I had a Mac that were to get compromised by his release of this vulnerability, I would sue his ass, which is hanging out there in the wind by his irresponsible idiocy.
It does not matter how trivial a matter a vulnerability is, that again, is not his call. He cannot foresee how a criminal might use what he makes public. . . but his careless action can cause untold damage. . . because he wants his name in the press. A vulnerability in software is not a "screwup" and the publishers DO take responsibility and DO take action to fix it. There are protocols on how this is handled and publicly exposing it before you give the publisher a chance to fix it is NOT THE PROTOCOL.
As I said before, it's a cheap shot by Apple.
You are claiming something NOT in evidence at all. . . Apple has not said a single word on this issue. . . and you have no evidence this article was written at Apple's behest. Your claim that an independent journalist's opinion article is somehow in Apple's pocket or otherwise doing Apple's bidding without a shred of evidence is the cheap shot.
But, then, we've come to expect that kind of delusional opinion from the Anti-Apple Hate Brigade on FreeRepublic, always attributing reprehensible conduct on Apple's part regardless of reality.
Oh stuff it. I no more hate Apple than I hate waterfalls. Apple is a giant mega corp that acts like one. You seem to be the only one that doesn’t know that. And as for it not being his call, and you “suing” him, you’ve got nothing to back that up - zero. No law, no legal requirement, nothing. But it doesn’t even occur to you that Apple remains quiet BECAUSE of their potential legal liability. Instead you want to hang the whistleblower.
Apple IS waging a blame-the-messenger campaign through third parties to skew public opinion here. This whole argument came from Apple legal, because at long last Apple’s claims of impenetrable purity have been breached - and shown to have been breached all along. And it brings up questions about why Apple never discovered it themselves, and who would have been responsible for such in-house analysis - and if they knew and covered it up.
You think this kind of thing isn’t valuable to the government? There all sorts of angles here, serious ones that deserve discussion. Keeping Apple on some sort of pillar of innate morality is puerile and insulting. The investigator DID NOT TRUST APPLE TO FIX IT OR ADMIT IT. Period.
Deal with it.
If the standard is three months' notice, what kind of baby are we talking about who has to endanger my system (it happens that I got a new one for Christmas, but . . .) by seizing his 15 minutes of fame before there was any possibility that Apple would fix it?It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deedsThis guy didn't ever try to do what Jobs et. al. have done in making the Mac - but he places himself above them all - in his mind at least - and shows that he is "so wonderful" that he is able to find - after years of looking no doubt - a flaw. Do you understand, he found a flaw in work that a major corporation did!!!! I think we should give him a billion dollars, don't you?!! </sarcasm>At least he didn't - so far as we know - undertake to create malicious software and propagate it for profit.
Apple has no reason to "blame the messenger" in this issue. The fact is that YOU seem have to have Apple act reprehensibly in every issue. This guy is not the FIRST to be blamed for doing similar things in the security world for unethically revealing vulnerabilities before telling the producer about what he's found. . . and the ethical white hats all find it reprehensible. . . and the press pound on them too. It has NOTHING to do with Apple running a waging a "Blame-the-messenger campaign" which gains them absolutely nothing except in your delusional world where Apple has to be perfect for "fanbois." Nothing could be further from the truth. For Apple it IS about user experience and security.
Apple FIXES the problems that need fixing. . . and files the proper reports on those fixes. You can check those filings. His paranoia and distrust is just that. . . and it seems to match your delusions in believing him and that there is some kind of cabal of pundits that do Apple's bidding in a campaign to malign the messenger..
Your hatred of Apple can be seen in your posting history on these threads and your instant assumption of venality on the part of Apple on any question. In this instance, your vehement defense of your position that Apple is running an instant campaign to smear this "researcher" without any evidence is proof or your bias more than evidence of Apple's campaign.
Deal with that!
bkmk
LOL, you need to take a pill. And while I don't recall discussing this issue with Star Traveler, dayglored, Loud Mime, itsahoot, amigatec, PA Engineer & House Atreides, you're welcome to copy them if you feel the need for backup.
Once again, however, I do not "hate" Apple, and my "posting history" on this subject shows no such thing. I happen to like Apple products a lot, have used them for almost thirty years, and even worked at the company and meet my wife there, who was on the original Mac rollout team. So to say that your full of it, is a major understatement.
However when necessary, I will indeed continue to criticise the hell out of the gigantic multinational corporation that thinks it's a god of perfect purity. You betcha I will. And if that gives you fits, see a doctor. You've obviously personalized Apple to an extreme degree, and trust me when I say I've seen it before, and its not healthy. I hope you're an Apple employee or contractor, because otherwise you've got a problem and need to see someone about it. It's a company - its not your lover. Grow up.
The investigator DID NOT TRUST APPLE TO FIX IT OR ADMIT IT. Period. Deal with it.
> ...I happen to like Apple products a lot, have used them for almost thirty years, and even worked at the company and meet my wife there, who was on the original Mac rollout team. So to say that your full of it, is a major understatement... However when necessary, I will indeed continue to criticise the hell out of the gigantic multinational corporation that thinks it's a god of perfect purity. You betcha I will. And if that gives you fits, see a doctor...
Regardless of your swipe at Swordmaker, I find your characterization of Apple curious. If you'll permit me a question...
You worked for Apple, quite some time ago I infer, though you don't say when or why you left or under what circumstances. And you say that Apple "thinks it's a god of perfect purity". Well, they do have a reputation of striving for perfection, one of the defining differences between them an Microsoft, for instance -- you may recall that famous quote from Ballmer's team, that they had no intention of fixing all the bugs in XP because their goal wasn't "getting it right", but instead they wanted to "get it good enough" that the users would buy it and that was that.
Anyway, you seem to be really unhappy with Apple's corporate culture or attitude. I sense a lingering, smoldering grudge or something, that is eating at you even though you still buy their products. Can you tell us who in particular at Apple got your goat so thoroughly? Or if not, what happened that caused you to part company with them?
That's very sensitive of you. I can't tell you how long I've waited for someone who could truly understand. The years of bearing it all alone, the dark nights, the rainy afternoons, bleak walks along the rocky shore...
“LOL, you need to take a pill. And while I don’t recall discussing this issue with Star Traveler, dayglored, Loud Mime, itsahoot, amigatec, PA Engineer & House Atreides, you’re welcome to copy them if you feel the need for backup....”
************************************************************************************************************
You are so funny...don’t you understand that the names you mention are on the Apple ping list..and we want to be notified of Apple threads and postings in case they contain something of interest to us.
As to Swordmaker feeling the need for backup, I think that feeling has never come to him as he responds to you. Judging solely by your back and forth with Swordmaker, he has you by about two standard deviations in basic intelligence. And he certainly is far more knowledgeable than you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.