Apple vulnerability could allow firmware modifications, researcher says

IDG news Service ^ | June 1, 2015

[Swordmaker]

A zero-day software vulnerability in the firmware of older Apple computers could be used to slip hard-to-remove malware onto a computer, according to a security researcher. Pedro Vilaca, who studies Mac security, wrote on his blog that the flaw he found builds on previous ones but this one could be far more dangerous. Apple officials could not be immediately reached for comment. Vilaca found it was possible to tamper with an Apple computer's UEFI (unified extensible firmware interface). UEFI is firmware designed to improve upon BIOS, which is low-level code that bridges a computer's hardware and operating system at startup. The UEFI code is typically sealed off from users.

But Vilaca wrote that he found the code is unlocked after a computer goes to sleep and reawakens, allowing it to be modified. Apple computers made before mid-2014 appear to be vulnerable. Vilaca wrote it is then possible to install a rootkit, a type of malware that is hard to remove and nearly undetectable by security products. The only defense is to not let the computer sleep and always shut it down, Vilaca wrote. t EFI firmware available.

Newer machines, however, were not vulnerable, which Vilaca wrote led him to suspect that Apple fixed the problem in later models but didn't patch older computers. It appears that Vilaca did not notify Apple before disclosing the bug, something that causes many technology companies to bristle. Most companies advocate that independent researchers notify them before going public so attackers cannot take advantage of software problems before a patch is ready. Vilaca wrote, however, that he has no beef with Apple. "My goal is to make OS X better and more secure," he wrote. Vilaca isn't the only researcher looking closely at Apple's firmware.

[jonno]

Sounds like a feature to me...

[Swordmaker]

Thunder strike vulnerability rises it's head again. . . This time on wake. It still requires physical possession of the computer, although the researcher claims it may be capable of remote execution, although I don't see how it would work when the Thunderstrike works with a malicious thunderbolt device. — PING!

Apple security Ping!

If you want on or off the Mac Ping List, Freepmail me.

I challenge the members of the Apple ping list to each donate at least $10 each to the latest Freepathon. I HAVE donated $100. Many members of the Apple Ping list are already rising to the challenge. Join them. Let's show the power of the Apple Ping list in supporting Freerepublic!

If you have ordered an Apple Watch,
MAKE A DONATION TO THE FREEPATHON!

[The_Victor]

Apple users line up around the block to upgrade every time Apple introduces a new color for the iPhone. Does anyone actually use “older” Apple computers?

[dfwgator]

MacBooks last a long time, and even used ones are not cheap.

[martin_fierro]

I’m still using an old G4 eMac (which an OS reinstall helped speed up — thanx Swordy!)

[The_Victor]

What's funny is that as eager as Apple users are to get the latest and greatest product, Windows user are the opposite (terrified beyond comprehension?) when Windows offers an upgrade. Does anyone want to be the Windows 10 guinea pig?

[Hardslab]

the 2009 mac pro can be upgraded with the 2010 firmware, and then the CPUs can be replaced with dual 6 core x5690 (for 12 cores at 3.46ghz, 24 threads) that have a geek bench score of 30,000 which is virtually equal to the power of the maxed out top of the line current model MacPro (aka: trash can). And you can use regular PCI-e video cards that outperform the built in cards of the new version.

So yes, people use old macs, not just because it saves money, (saves around $5000 between an upgraded 2009 and an equivalent new one) Macs hold their value far better and longer then PCs.

[__rvx86]

I already am. Windows NT 10.x is at build 10130—it goes gold on 29 July.

(Unlimited Internet plan F/T/W: The DVDs are ~3GB, updated every 8.2 days, and may accelerate as the release date gets closer)

So far, it’s quite good. Anyone using Windows 7 presently will not feel too far out of place in Windows 10.

[The_Victor]

I like Win 7, and 8.1 is OK but I usually go straight to the desktop. I saw one of the Win 10 threads a few minutes ago. There more than a few "No way I'm upgrading" responses.

I'll give it a few months for the bugs to get worked out, then upgrade. Sounds like the upgrade is free, so the price is right.

[Svartalfiar]

What's funny is that as eager as Apple users are to get the latest and greatest product, Windows user are the opposite (terrified beyond comprehension?) when Windows offers an upgrade. Does anyone want to be the Windows 10 guinea pig?

Apple did a great job convincing their users to be the beta guinea pigs! One of the big problems with Microsoft upgrades is that people get used to something good (like XP), then Microsoft has to go and change everything, moving buttons around, giving you a phone-style desktop, and all sorts of stupid changes. Annoying.

[TheBattman]

My current MacBook Pro (typing this response on it) is “Mid-2010”. Works great! Running Yosemite (actually - I’m in the pre-release program - so running “bleeding-edge” OS).

One of our other household computers still used regularly is a Dual G5 PowerMac... I bought it used not long before the PowerPC was dumped for Intel Inside... Other than a rapidly disappearing pool of current software, it still runs great - and is surprisingly nimble.

[TheBattman]

How will Apple address this (or WILL they?). This will definitely be another test case for Apple vs Consumers. I fear this will be another excuse used to just cut off ongoing support (including in the OS) for anything more than 3 years old?