A beta of the next OS X update for Mac users contains a patch for the Thunderstrike vulnerability that allows malware to be injected into Macs via the Thunderbolt port.
Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks.
"A few years ago we were considering deploying MacBooks and I was asked to use my reverse engineering experience to look into the reports of rootkits on the Mac to see if it was possible to patch the firmware to be secure against them," wrote Hudson in a summary of the vulnerability.
After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system's Thunderbolt port.
"It turns out that the Thunderbolt port gives us a way to get code running when the system boots," Wrote Hudson. "Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run."
Hudson discovered that he could use a modified Apple gigabit Ethernet Thunderbolt adapter to carry out the attack.
The malware, once installed, would be almost impossible to detect and remove.
The attack, while serious in scope, requires the attacker to have physical access to the Mac to carry it out. It cannot be carried out remotely.
The fix, which sources report has appeared in the OS X 10.10.2 beta which Apple has released, not only prevents the system's Boot ROM from being altered, but also prevents it from being downgraded so as to make it vulnerable at a future point.
This update will be rolled out to OS X users soon.
The update will also contain fixes for three other vulnerabilities that have been discovered by Google's Project Zero research program.
- Macs vulnerable to virtually undetectable virus that "can't be removed"
- A $10 USB charger with built-in wireless keylogger means more security headaches
- A simple solution to help protect your PC or Mac charger from damage
- Is the Apple Watch's battery going to be a huge let down?
- Five antivirus scanners for Mac