Vulnerability of non-brand-new Macs (wake from sleep exploit)

Sydde

macrumors 68020
Original poster
Aug 17, 2009
2,148
4,516
IOKWARDI
Ars reports on a pretty darn scary exploit that has the potential to write to EFI firmware. More serious than that, the exploit can be installed from userland, meaning there is no need to mess around with escalation-of-privilege.

This exploit has been shown to work on all Macs older than the most recent models and requires a wake-from-sleep event to expose the vulnerability. I am not clear on whether it will be possible for Apple to issue some kind of software or firmware fix for this issue, but it sure does not look like a situation that inspires confidence in the brand. Obviously, firmware meddling survive the old "nuke-and-pave" and escapes the notice of most security inspection software, so this could be a really big problem.
 

QCassidy352

macrumors G4
Mar 20, 2003
11,100
3,836
Bay Area
This is very scary. As I understand it, the entire thing could be triggered remotely, no physical access ever required. Not good.
 

keysofanxiety

macrumors G3
Nov 23, 2011
9,534
25,264
Yeah I saw this post yesterday on MalwareBytes' Facebook page. Apparently it's due to the crappy security of the EFI 1.1, which means custom firmware can be installed on the Mac -- they don't have to be signed by Apple? Not sure if anybody can confirm this. And with it being firmware it means it'll be permanently exploited; wiping & reinstalling the OS won't do anything.

Boy I hope Apple know about this or have some existing protection to prevent this from happening.
 

MacFever

macrumors regular
Feb 1, 2007
242
29
I'm very surprised that Apple seems to be taking it's time in releasing a fix for this...or did they know about it and said nothing which would require you to buy a new machine 2014 and onwards to keep the stocks up. It's unbelievable what seems to be the lack of urgency on Apple's behalf to address the issue that will backfire on them if they don't wake up from decorating the Moscone building. priorities are in reverse. Steve would not allow this to happen or continue without fix.

and the mac communities don't seem to really care. lol everyone is on about their phones/watches.

http://arstechnica.com/security/201...ost-macs-vulnerable-to-permanent-backdooring/
 

sim667

macrumors 65816
Dec 7, 2010
1,371
2,881
Good luck getting any wake from sleep working on macs with yosemite, apple totally trashed something that worked really well when yosemite was released.
 

Sydde

macrumors 68020
Original poster
Aug 17, 2009
2,148
4,516
IOKWARDI
Does this mean that an enemy could brick your computer with minimal effort?

And, if Apple can issue a fix, will they allow it to be installed on the holdouts who still use 10.6?
 

Sydde

macrumors 68020
Original poster
Aug 17, 2009
2,148
4,516
IOKWARDI
Or you could use an iPad for all your browsing and airdrop any files you need onto the Mac.
 

minifridge1138

macrumors 65816
Jun 26, 2010
1,135
166
Apple updated the EFI firmware of all Early-2011 and newer Macs:
https://support.apple.com/en-us/HT204934

Download:
https://support.apple.com/en-us/HT201518

The firmware is only available for newer OS X versions (10.8.5+).

That confuses me. A firmware update should be tied to the hardware, not the OS being run.

Edit: I just checked the firmware section of the 4,1 Mac Pro and it is unchanged. That makes me wonder if this is more of an OS patch than firmware update.
 
Last edited:

Sydde

macrumors 68020
Original poster
Aug 17, 2009
2,148
4,516
IOKWARDI
It seems as though an OS patch might be appropriate, if the can close the post-sleep attack window (restart threads carefully or something) and prevent sleep from being initiated by just any old process.
 

subsonix

macrumors 68040
Feb 2, 2008
3,551
79
More serious than that, the exploit can be installed from userland, meaning there is no need to mess around with escalation-of-privilege.
This isn't the case, later in the article this is mentioned: "To work, an exploit would require a vulnerability that provides the attacker with unfettered "root" access to OS X resources." so you'd still need to have an exploit and a way to escalate privileges to root.

The issue is that it's possible to update the firmware at all from the OS I believe.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.