Symantec confirms existence of unpatched rootkit Mac security flaw

The security flaw could allow attackers to install rootkit malware able to survive hardware formatting.

macsymantec.jpg
Symantec

Symantec says a critical vulnerability within some Apple Mac models could allow hackers to inject systems with persistent rootkit malware.

The security firm confirmed the existence of the security flaw late on Thursday. The flaw, called the Apple Mac OS X EFI Firmware Security Vulnerability, was originally disclosed last week by security researcher Pedro Vilaca.

The problem lies within Mac sleep mode. After Macs awake from this low-power hibernation, a flawed suspend-resume implementation means that some Mac models' flash protections are left unlocked.

In short, cyberattackers could, in theory, reflash the computer's firmware in this time window and install Extensible Firmware Interface (EFI) rootkit malware.

This kind of virulent malware can be used to remotely control a system and potentially steal user data -- and may not be eradicated even if a system wipe is set in motion.

While this attack is unlikely to impact on users en masse, it could be exploited in order to spy upon specific, targeted users with valuable data or accounts to share.

Symantec has confirmed the existence of the vulnerability and has rated the flaw as "critical" as it can provide "an attacker with persistent root access to a computer that may survive any disk wipe or operating system reinstallation," according to the firm.

Read this

20 essential iPhone, iPad apps for college students

Out of the thousands on offer to make your life easier, here is a roundup of the most essential iPhone and iPad applications for students.

Read More

"The vulnerability could be remotely exploited by an attacker if used in conjunction with another exploit that provided root access," Symantec says.

"While such vulnerabilities are not widespread, they do emerge from time to time. Once an attacker has root access, the only condition required for successful exploit is that the computer enter sleep mode."

Vilaca claims the bug can be used with Safari or another remote vector to install an EFI rootkit without physical access, and the only requirement is that the computer is suspended within the session.

To date, Symantec has tested four different Mac computer models. The security firm found that the Mac Mini 5.1 and MacBook Pro 9.2 are vulnerable, whereas the MackBook Pro 11.3 and MacBook Air 6.2 are not affected. Vilaca's tests verified the MacBook Pro Retina 10.1, MacBook Pro 8.2, MacBook Air 5.1 and Mac Pro 9.1 are vulnerable. All computers tested ran on Apple's latest firmware versions. Vilaca commented:

"I'm pretty sure Apple is aware of the bug or at least it would be quite irresponsible from them to not test if their BIOS implementation was vulnerable to the Dark Jedi attack. I had no issues doing PoC tests with it but definitely needs other people to test it out (at least to find which other Macs are vulnerable)."

Until such a time when Apple issues a firmware patch to fix the security flaw, concerned users are advised to shut down their computers rather than put them in sleep mode.

ZDNet has reached out to Apple and will update if we hear back.

Read on: In the world of security

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All