Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
First Firmware Worm Able to Infect Macs Created by Researchers
- Thread starter MacRumors
- Start date
- Sort by reaction score
Other than not using your mac? No. The advice is don't go to nefarious web sites, or open attachments. Of course, you could also get infected just visiting normal web sites. Who knows, maybe you already got it from this site. What better place for a hacker to infect mac users than a mac web forum!
Um Windows XP still has quite a bit of market share. Businesses are still using it.
Ermm, yes there is:
"First Firmware Worm Able to Infect Macs Created by Researchers"
Should read:
"First Firmware Worm Able to Infect Macs, Created by Researchers"
The comma COMPLETELY changes the context.
Source: I am English, born in England, living in England - the SOURCE of ENGLISH.
There's no verb in the sentence anymore if you add the comma, so the second one is actually incorrect. If you aren't trying to qualify it as a sentence, the second phrase is unambiguous, but the first one is still grammatically correct; there's no grammatical rule against forming sentences with ambiguous meanings. I'm American-born, and I'm not going to get into which version of English is the "proper" one.
Anyway, the rules for this are the same AFAIK.
Last edited:
Interesting. As a portuguese speaker, I find annoying the lack of commas in english sentences. Maybe I read american english too much.
Researchers Create First Firmware Worm Able to Infect Macs,
there we go sorted.
there we go sorted.
And then there is this, "Unpatched Zero Day Bug Allows Root Access Without Password"
http://thehackernews.com/2015/08/mac-os-x-zero-day-exploit.html
http://thehackernews.com/2015/08/mac-os-x-zero-day-exploit.html
So they are saying that they have made a firmware worm (a software) and they can put it on a website (software) and when you visit it with a browser (sandboxed software) it can infect the system on the firmware level (still software).
Then they are saying you can't remove the worm with software updates and it needs to be done at hardware level!!!
Yeah right! If they can overwrite a part of firmware to infect the system I'm sure Apple can overwrite it for a fix too.
It's only logical.
Then they are saying you can't remove the worm with software updates and it needs to be done at hardware level!!!
Yeah right! If they can overwrite a part of firmware to infect the system I'm sure Apple can overwrite it for a fix too.
It's only logical.
The Thunderstrike 2 vulnerability won't affect you at all. The DYLD bug will affect you only if you are running a version of Yosemite. That bug is being fixed in 10.10.5, although there's currently no release date for that yet. You would have to download something and run it to become infected, although you wouldn't be required to enter a password as that is what the vulnerability (privilege escalation bug) does. No one can currently be infected by just visiting a website.
Ok thanks, though if you don't mind me asking - how do you know the 2009 iMac won't be affected at all? I'm not worried about the Day Zero bug.
And no website can currently infect due to the malware merely being proof of concept at this point in time?
Do you not think that the antivirus/antimalware companies employ people to find holes?
Your machine needs a Thunderbolt interface to be vulnerable to the Thunderstrike 2 bug. Thunderbolt wasn't released until 2011. USB can't be used as in infection vector as it doesn't have an option rom.
The DYLD zero day exploit can't be used to infect directly without you downloading and running an app. This is because there isn't currently an exploit that it can be combined with to allow a drive by attack to succeed. As long as you stick to installing software from vendors you trust you and everyone else should be fine. That's not to say it doesn't need patching and it will be in 10.10.5
It's this that's clashing with what you're telling me -
" Thunderstrike 2, unlike the first demonstration of Thunderstrike, is able to infect a Mac remotely through a malicious website or email. "
Or is TS2 not even out in the wild yet so there's really nothing to worry about?
Being patched in 10.10.5 beta. Remember to keep your system updated, no mater what system you're using.
Hard to tell. Thunderstrike2 is not a "virus" by traditional meanings. It's conceptual attack in the hardware level, which will infect machine even BEFORE the OS (and anti-virus softwares) is loaded. It's the first of the kind that will spread through Thunderbolt controller, but it's not the first firmware worm human had ever created.
Several years ago, some lab geeks in Symantec had discovered a generously designed firmware worm that breaches PLCs (Programmable Logic Control, widely used in industrial automation control) to slow down, or even destroy, the production line. That worm will first infect Windows PCs through USB exploits, and then it will search the local network for victim PLCs and overwrite their firmware.
The origin of that PLC worm is unknown, but rumors said it's created for the nuclear issue of Iran.
It doesn't clash with anything. TS2 is able to infect a Mac though malicious executables, just like what we did when we upgrade Mac firmware. The attackers could leverage DYLD exploits in their codes to skip the permission granting step, but before that, these malicious executables shall be launched first.
A malicious executable won't launch itself automatically simply by browsing a website or opening an attachment. You'll still need to manually disable Gateway protection, launch that mimic application, and click "OK" when system warning message pops up.
The article simply says "visiting or opening a malicious website or e-mail can infect your machine" - And said nothing about having to have the user do something in order for the firmware to get infected/overwritten.
Thus the confusion. So what you're saying is I would have to manually do something to allow the firmware attack to occur and overwrite my firmware?
Last edited:
I believe there are actually 2 bugs being discussed.
1) A process running without root/sudo permissions is able to read/write/execute any arbitrary file.
2) A corrupted firmware file can spread to and from a thunderbolt accessory and the firmware embedded in your Mac.
The "perfect storm" is the combination of the two. A bit of malicious software writes the corrupted firmware to your machine without needing your password. That malicious firmware is than "installed" on your Mac. From there it can spread to other macs by corrupting the firmware in thunderbolt cables/accessories.
For machines that do not have thunderbolt, there is no need to worry about #2.
For #1, it sounds that Apple already has a fix implemented in OS X 10.11, but that isn't out yet for GA.
1) A process running without root/sudo permissions is able to read/write/execute any arbitrary file.
2) A corrupted firmware file can spread to and from a thunderbolt accessory and the firmware embedded in your Mac.
The "perfect storm" is the combination of the two. A bit of malicious software writes the corrupted firmware to your machine without needing your password. That malicious firmware is than "installed" on your Mac. From there it can spread to other macs by corrupting the firmware in thunderbolt cables/accessories.
For machines that do not have thunderbolt, there is no need to worry about #2.
For #1, it sounds that Apple already has a fix implemented in OS X 10.11, but that isn't out yet for GA.
Please understand that it's only a prove of concept, rather than a real threat. Researchers want to prove that malicious codes can infect and spread through firmware. Internet as infection route is off topic issue, so they didn't disclose details in the video.
Firmware is different from ordinary application. The execution codes are stored in the nonvolatile EPROM on the motherboard, which shall be "reset" first before it can be modified, which will takes 10 to 20 minutes to complete. On a Mac, this resetting procedure can only be done during booting process. This is why you won't get infected automatically simply by following an URL or receiving a message.
Heh, yeah, I was actually conscious that I was using a colloquialism while omplaining that I couldn't understand the dirty foreigner, but I left it in cos it made me smile too!
Plus I figured everyone knows what bloke means, even if they don't use it themselves (and if they don't know what it means they'll work it out, and then they've learnt a new word, which is always nice ).