macbook pro

What you need to know about Thunderstrike 2

An inevitable by-product of Apple’s success is the emergence of people looking to target any vulnerabilities they can discover. Over the last month or so two new serious vulnerabilities that could affect your Mac have come to light.

The first vulnerability is a computer worm named “Thunderstrike 2”. This worm is a proof of concept that exploits 5 firmware vulnerabilities. The vulnerabilities were researched and discovered by Xeno Kovah and Trammell Hudson, who are set to discuss their findings at the Black Hat security conference in Las Vegas on 6th of August.

Thunderstrike 2 works by targeting the firmware on your Mac either via malicious websites or email, and a Mac could be infected within seconds. The worm then spreads by targeting any peripherals that contain Option ROM for example Apple’s Thunderbolt Ethernet Adaptor or an SSD. Once these peripherals are connected to another Mac, the worm spreads to its firmware and any further peripheral devices containing Option ROM connected to that device.

The cycle could be endless. One of the researchers who designed the concept, Xeno Kovah said:

[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware.

The vulnerabilities that allow a worm like Thunderstrike 2 to infect Macs have been reported to Apple. They have thus far patched one and partially patched a second. During the conference, Xeno and Trammell will announce software that can check Option ROM on their devices but won’t be able to check the boot firmware for the infection.

The second vulnerability came with the release of OS X 10.10 when Apple added additional features to the dyld (dynamic link editor). One of the new variables added to dyld is called “DYLD_PRINT_TO_FILE” which enables error logging to an arbitrary file. Security that protects other variables does not appear to have been put in place, and this vulnerability has been discovered by German coder, Stefan Esser.

The vulnerability known as “Privilege Escalation” allows malware to run as the administrator of the Mac that it affects and installs itself without any user interaction. With this elevated status, it can then bypass a lot of the security measures that protects the Mac.

As Stefan explains in his article, this vulnerability has been reported to Apple some time ago and has yet to be resolved in beta releases of 10.10. It has, however, been resolved by Apple in the OS X El Capitan (10.11) beta.

Stefan’s article also includes code for a proof of concept that uses this vulnerability and other adware that has already started to appear. Malwarebytes researcher Thomas Reed discovered some software that uses this vulnerability and edits the sudoers file allowing it to gain root-level access to the system and perform root level tasks without authentication requirements.

As always the main thing to protect yourself from this kind of attack is to be very cautious of the files and applications you download to your devices.

Coincidentally at the time of writing this blog Apple has released a statement that the “Privilege Escalation” vulnerability is being worked on and will be patched with the release of OS X 10.10.5. The “Thunderstrike 2” vulnerability is being worked on and as previously stated is partially patched as of OS X 10.10.4.

The good news is that Apple is great at responding to discoveries of vulnerabilities and deploying patches accordingly. Here at Amsys, we always recommend to continue to be vigilant about what sites you visit, the links you click on and the files you download.

Leave a Reply

Your email address will not be published. Required fields are marked *