News/Updates

Apple Mac Zero-day Vulnerability

Details
Security industry ...

Just last week a researcher identified a new vulnerability in the Apple Mac that could be utilized to inject a persistent malware rootkit, allowing the hacker to gain full system control of the user's computer.

The new vulnerability has not yet been gioven a name and the cause is still unknown, though it appears to be related to a bug in the sleep mode energy conservation software.    

Just last week a researcher identified a new vulnerability in the Apple Mac that could be utilized to inject a persistent malware rootkit, allowing the hacker to gain full system control of the user's computer.

The new vulnerability has not yet been given a name and the cause is still unknown, though it appears to be related to a bug in the sleep mode energy conservation software.   

There is an area of memory called the extensible firmware interface that is used to provide low-level access and hardware control and it seems Apple's implementation of the sleep-mode energy conservation software can leave areas of that memory open to writing from user programs on the computer.  These areas of memory are normally locked as read-only in order to protect them.

This isn't the case however, with some late-model Macs.  Putting them to sleep (closing the lid) for around 20 seconds and then waking them up (open the lid) unlocks the EFI memory for writing.

Unfortunately, the vulnerability can be used to remotely install a rootkit or persistent malware that is virtually invisible to the operating system and any malware detection software you might have.  And it can be done using something as simple as the Safari web browser.

The researcher went on to explain that the remote exploit could simply deliver a payload through the web browser that will either wait or test if a previous sleep existed and the machine is vulnerable.  It could even force the computer into sleep mode and then wait for a wakeup to occur in order to complete the injection its work.

Once the EFI memory has been unlocked, the attacker can simply overwrite the BIOS firmware with something that contains an EFI rootkit.  That's it.

It looks like Apple is aware of the issue since the vulnerability does not appear to exist in Macs made after mid 2014.