It’s common wisdom: Mac security is inherently superior to that of Windows and other PC operating systems. Many users credited Apple’s tightly controlled application and development environment for this improved protection, but in recent years security researchers have suggested a storm of malicious attacks may be on the horizon. Now, a pair of Mac security threats — Thunderstrike 2 and a new zero-day privilege exploit — have darkened user skies. Is this the end of Apple’s vaunted security superiority?
The Sound and the Fury
According to Threatpost, researchers have developed a remote-infection variant of firmware exploit bootkit Thunderstrike. Called Thunderstrike 2, the new vulnerability leverages much of the original kit to deliver malware capable of infecting both host machines and any connected accessories.
As noted by The Hacker News, Thunderstrike was first developed by security engineer Trammell Hudson, who discovered a flaw in Thunderbolt Option ROM that allowed the infection of any Apple Extensible Firmware Interface (EFI) by placing malicious code into boot ROM, making it almost impossible to remove. Thunderstrike had one limitation, however: Attackers needed physical access to victim machines.
Thunderstrike 2, meanwhile, has no such restrictions. The brainchild of Hudson and another security engineer, Xeno Kovah, it’s possible to spread Thunderbolt 2 via email, malicious websites or peripheral devices. Using a local root privilege exploit, the malware loads a kernel module to gain raw memory access and then either unlocks and rewrites the firmware or waits for the Mac to sleep and wake up again to alter its firmware. In both cases, removing the infection is almost impossible.
Thunderstrike and its progeny speak to one critical fallacy of Mac security: singularity. With other companies all leveraging virtually identical firmware, the software advantage granted by Mac OS X is rendered meaningless.
Zero-Day Strikes on Mac Security
Speaking of OS X, researchers have also discovered a flaw in the latest version of Yosemite that could allow malicious actors to gain root-level permissions without the need for administrator passwords. As noted by SecurityWeek, the issue lies with a hidden UNIX file named “sudoers,” which contains a list of software programs granted root access. When used alongside the DYLD_PRINT_TO_FILE vulnerability, which allows error logging to arbitrary files, it’s possible for cybercriminals to “open or create arbitrary files owned by the root user anywhere in the file system,” according to German security researcher Stefan Esser, who published the zero-day exploit details in July.
Attacks observed in the wild saw malicious actors running an installer that infected systems with VSearch adware, Genieo adware and in some cases the MacKeeper software. Both OS X 10.10.4 and beta 10.10.5 are vulnerable, while the new OS X 10.11 “El Capitan” beta appears to be immune.
After years of clear skies and starry nights, a storm is rolling in for Mac users. Serious firmware and software flaws have been discovered — and both are hard to detect and even harder to remove. For Mac users, there’s a simple lesson in the thunder and lightning: Standing under the Apple tree isn’t safe. Instead, it’s time to hunker down and start taking Mac security seriously.