Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
First Firmware Worm Able to Infect Macs Created by Researchers
- Thread starter MacRumors
- Start date
- Sort by reaction score
Assuming the user is stupid (a good percentage of people) and just keys the password in anyway renders your ideas useless.
Apple needs to do security better across OS X & iOS and quickly. That means plugging holes faster and stop being so damn lazy and treating security as a low priority.
I'm not going to dig into it, so if anyone else knows, does this exploit bypass the Thunderstrike fix that was introduced in 10.10.2? From brief reading, it looks like Apple patched at least one of the five issues being exploited (in that specific case), so I'm curious to know if it actually requires all five vulnerabilities to work and that fix was not good enough, or if the four remaining were enough.
Also interesting, and not mentioned but worth bringing up: an exploit like this will need to take advantage of a lot of different holes on different layers to the OS, the first seeming to be an exploit in WebKit (which is pretty high level) before being able to affect the firmware.
Also interesting, and not mentioned but worth bringing up: an exploit like this will need to take advantage of a lot of different holes on different layers to the OS, the first seeming to be an exploit in WebKit (which is pretty high level) before being able to affect the firmware.
Windows and android both have EXTREME vulnerabilities, not limited "proof of concept but nobody has actually seen it" stuff. OS X El Capitan already patched this. It's been demonstrated
The details are quite lacking and any downloaded file or "malicious web page" is still going to require the user to give permission to execute the firmware updater. It's not like it can execute code without user permission first. Being able to install from an infected device is the only real danger here. That would require Apple to inspect the option rom before executing it and I expect that is what will happen. As to Apple security programmers being rubbish I think you might be mislead.
Their security is waaaaaaaay ahead of Android and Windows. What did I read the other day? 950 MILLION android devices open to remote hacking? By a video that you don't even need to watch? That's crazy
Sounds to me like Apple will need to provide a few firmware updates in addition to OS security code changes to rectify this.
Hopefully, Apple provides users that are not planning on upgrading immediately some relief as well. As scary as this can be it is good that security researchers are keeping companies like Apple on their toes and continuously looking for areas to improve.
Last edited:
He meant that with this issue suddenly becoming public, Apple will most likely have a fix out for when El Capitan is released to the public (hopefully).
Obviously, security is always a concern... however, people can go on to say Apple is lazy about security and don't take threats seriously... which I'm sure is rubbish. I think all reputable companies take it seriously... they have to or we'd all be compromised by now and no one would use a PC of any kind.
I just hope someday there's some sort of breakthrough in security for OS's and computers. It's already out of control with user authentication and how locked down some companies keep their PCs in order to keep them as safe as possible from malware and viruses. Plus, as a developer, it's becoming more and more difficult to provide a clean and easy user experience for one of our solutions because of all the end user authentication need to install different parts.
Anyway... Pro Apple or Anti Apple, the results are all the same... it's a constant uphill battle for anyone in the industry.
I just hope someday there's some sort of breakthrough in security for OS's and computers. It's already out of control with user authentication and how locked down some companies keep their PCs in order to keep them as safe as possible from malware and viruses. Plus, as a developer, it's becoming more and more difficult to provide a clean and easy user experience for one of our solutions because of all the end user authentication need to install different parts.
Anyway... Pro Apple or Anti Apple, the results are all the same... it's a constant uphill battle for anyone in the industry.
Two questions:
1. Anybody else find that bloke hard to understand? He seems to speak quite quickly, while slightly slurring his words. Might not be an issue if you're familiar with the accent, but a foreign accent plus poor articulation makes it a bit tricky at times.
2. What are the risks? I assume it can stop your machine booting, maybe cause hardware damage, but does it potentially allow access to data?
1. Anybody else find that bloke hard to understand? He seems to speak quite quickly, while slightly slurring his words. Might not be an issue if you're familiar with the accent, but a foreign accent plus poor articulation makes it a bit tricky at times.
2. What are the risks? I assume it can stop your machine booting, maybe cause hardware damage, but does it potentially allow access to data?
Oh...crap.
I'm guessing this isn't possible if you only get apps from the app store and also impossible without having you enter your acct password. So just visiting a web page won't cause the infection, but installing something will.
Working in IT, I've seen the biggest easiest way to fool people into installing things is with Flash. Since Adobe has updates every 10 minutes, everyone is used to just "updating" their crap.
I'm guessing this isn't possible if you only get apps from the app store and also impossible without having you enter your acct password. So just visiting a web page won't cause the infection, but installing something will.
Working in IT, I've seen the biggest easiest way to fool people into installing things is with Flash. Since Adobe has updates every 10 minutes, everyone is used to just "updating" their crap.
It sounds like they're using a patched exploit (but an exploit, nonetheless) in WebKit in order to run the code behind a users view and with escalated privileges, requiring no password.
However, the focus isn't on "how the user got there", it's about the ability to write firmware when you're "there". There will be bugs at higher levels that are more numerous, unpredictable, and potentially giving lower level access, but the fact that if any of those higher levels are exploited, the firmware is exposed through the single and common exploit (which is a combination of 4-5).
Hahaha! Probably not worth a reply, but the person in the video was not the same as the person narrating. It was a woman's hands in the video, and a man narrating.
That's something else than he said. Also if you read the article multiple security issues have been made aware to Apple and yet they haven't fixed it.
This is what it sounds like to me as well, but the Wired article was poorly written so I'm not sure. I'll withold judgement until the Blackhat presentation.
However, it definitely illustrates the foolishness of passing off local exploits as unimportant, which some on this forum always do. "Local" doesn't mean someone literally siting at your machine; it can also mean someone with remote access through some other exploit.
OS X won the prestigious "Most Vulnerable Operating System" trophy for 2014 with iOS not far behind.
http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
http://www.neowin.net/news/mac-os-x-and-ios-top-2014-security-vulnerability-list
http://www.networkworld.com/article...rating-systems-in-2014-ie-wins-worst-app.html
http://www.zdnet.com/article/mac-os-x-is-the-most-vulnerable-os-claims-security-firm/
Makes us look stupid for all the times we've told everyone else how robust & secure OS X is, sorry I meant was.
You have to actually open a terminal window and run a SUDO command for your Mac to be infected with this.
Or plug in an infected device. That's the real danger.
Their was a time when Apple was more secure than the venerable PC. But that was then, and this is now. Times change and things change, yet some myths continue to be kept alive and propagated by the faithful. "It just works" comes to mind when speaking of myths. Sadly Apple didn't keep that one alive.
Correct me if I'm wrong, but this doesn't necessarily sound like a worm to me.
They didn't describe how this works really - they said that malicious code can be delivered via email or a website... And then what? It still needs to be run, does it not? It won't just automatically run itself, will it?
That means it's a Trojan, not a worm, right? The only precaution a user needs to take is not running code that they shouldn't trust, and by default since Mountain Lion, you can't run unsigned code because of Gatekeeper, right?
The fact this installs itself at the firmware level is alarming as it means that a single slip up results in that hardware forever being infected (unless you have the equipment to flash the ROM, plus an uninfected copy of the firmware on an uninfected machine, which I would guess extremely few people do). But don't make this up to be something it isn't - it is a Trojan so it requires the same precautions as always.
They didn't describe how this works really - they said that malicious code can be delivered via email or a website... And then what? It still needs to be run, does it not? It won't just automatically run itself, will it?
That means it's a Trojan, not a worm, right? The only precaution a user needs to take is not running code that they shouldn't trust, and by default since Mountain Lion, you can't run unsigned code because of Gatekeeper, right?
The fact this installs itself at the firmware level is alarming as it means that a single slip up results in that hardware forever being infected (unless you have the equipment to flash the ROM, plus an uninfected copy of the firmware on an uninfected machine, which I would guess extremely few people do). But don't make this up to be something it isn't - it is a Trojan so it requires the same precautions as always.