A fix for the Thunderstrike proof-of-concept bootkit attack has made its way into a beta version of Apple's OS X, according to a just-published report. The new fix may indicate that a patch isn't far from general release.
The exploit was dubbed Thunderstrike because it spreads through maliciously modified peripheral devices connected to a Mac's Thunderbolt interface. When plugged into a Mac that's booting up, the device injects what's known as an option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions. Once a Mac is infected, the malicious firmware can survive hard drive reformats and OS reinstallations. And since Thunderstrike replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected systems.Earlier this month, Thunderstrike creator Trammell Hudson said that only the latest versions of Mac Mini's and iMac Retina 5ks were largely immune to the exploit but that Apple engineers were in the process of developing a fix for the rest of the Mac product line. According to a report published Friday by iMore, the patch has been spotted in the latest beta of OS X 10.10.2, the next version of Yosemite.
"To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again," the iMore report stated. "According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that's exactly the deep, layered process that's been completed."
Separately, iMore reported, the beta contains fixes for three currently unpatched OS X vulnerabilities that were recently disclosed by Google Project Zero team. The advisories were controversial because they provided proof-of-concept attack code that presented a detailed blueprint malicious hackers could use to exploit the bugs.
On Saturday, Hudson told Ars he discussed the planned Thunderstrike fix with Apple representatives a few weeks ago while attending the Chaos Communication Congress in Germany. He went on to say that he wasn't aware it had been added to the 10.10.2 beta, and he did not yet have a chance to review the fix himself.
"The version that I tested in Hamburg was still subject to downgrade attacks and I demonstrated it for Apple," he wrote in an e-mail. "Hopefully they have fixed that bit, although the fact that they are leaving Option ROMs enabled at all really worries me."
Hudson said he's still waiting on the publication of CVE-2014-4498, the vulnerability designation assigned to the Thunderstrike hole.
There are no known instances of a Thunderstrike-style attack happening in the wild, and the exploit requires the attacker to either have brief physical access to a vulnerable Mac or trick a user into plugging a booby-trapped peripheral into a Mac as it's booting up. While that's reassuring to know, there would be no way to detect a properly executed Thunderstrike attack, and exploits could feasibly be carried out by border crossing agents, hotel housekeeping staff, and anyone else who gets two or more minutes alone with a targeted machine.
reader comments
102