The Hacker News - Cybersecurity News and Analysis: EFI Bootkit

A zero-day software vulnerability discovered deep in the firmware of many Apple computers could allows an attacker to modify the system's BIOS and install a rootkit , potentially gaining complete control of the victim's Mac. The critical vulnerability, discovered by well-known OS X security researcher Pedro Vilaca, affects Mac computers shipped before mid-2014 that are allowed to go into sleep mode. While studying Mac security, Vilaca found that it's possible to tamper with Apple computer's UEFI (unified extensible firmware interface) code. UEFI is a low-level firmware designed to improve upon computer's BIOS, which links a computer's hardware and operating system at startup and is typically not accessible to users. But… Vilaca found that the machine's UEFI code can be unlocked after a computer is put to sleep and then brought back up. " And you ask, what the hell does this mean? " Vilaca wrote in a blog post published Friday. " It means th

Apple is preparing to release the second update to OS X Yosemite in the coming days to its customers. The upcoming beta update OS X Yosemite 10.10.2 contains a patch for the Thunderstrike vulnerability that allows malware to be injected into Macs via the Thunderbolt port. Earlier this month, Reverse engineer Trammell Hudson revealed technical details and proof-of-concept of Thunderstrike attack . Thunderstrike, an undetectable bootkit, works by injecting an Option ROM into a Mac's EFI. It is possible because hardware attached to a system through Thunderbolt port are not as secure as a Mac itself. Once installed using Thunderstrike attack, the malware would be almost impossible to detect and remove. Because the firmware used on Macs doesn't always apply to the security of attached hardware. So "Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the at

A security researcher has discovered an easy way to infect Apple's Macintosh computers with an unusual kind of malware using its own Thunderbolt port . The hack was presented by programming expert Trammell Hudson at the annual Chaos Computer Congress (30C3) in Hamburg Germany. He demonstrated that it is possible to rewrite the firmware of an Intel Thunderbolt Mac . The hack, dubbed Thunderstrike , actually takes advantage of a years-old vulnerability in the Thunderbolt Option ROM that was first disclosed in 2012 but is yet to be patched. Thunderstrike can infect the Apple Extensible Firmware Interface (EFI) by allocating a malicious code into the boot ROM of an Apple computer through infected Thunderbolt devices. The hack is really dangerous as, according to the researcher, there is no means for the user to detect the hack, or remove it even by re-installation of the complete OS X, only because the malicious code actually is in the system's own separate ROM. "