A new vulnerability in Apple Mac computers could be used to remotely inject persistent rootkit malware into users' computers, providing attackers with full-system level control, a security researcher has discovered.
The exact cause for the zero-day vulnerability, which is yet to be named, has not been fully identified.
It appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer.
Memory areas are normally locked as read-only to protect them.
However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.
The researcher who discovered the flaw, Pedro Vilaça, said the vulnerability can be used to remotely plant rootkits or persistent malware that is invisible to the operating system in the writeable flash memory, by using for instance the Safari web browser.
"A remote exploit could simply deliver a payload that will either wait or test if a previous sleep existed and machine is vulnerable, or force a sleep and wait for a wakeup to resume its work," Vilaça told iTnews.
"After the BIOS protections are unlocked it can simply overwrite the BIOS firmware with something that contains an EFI rootkit and that's it."
Some extra steps may be required to achieve superuser privilege escalation to load kernel modules, but that's not particularly complicated to do, Vilaça said.
"The attack is more or less targeted because it requires a firmware specific for each Mac model due to bios differences between models," he told iTnews.
"This isn't also very complex to deal with since an offensive payload could just download the right version for the target. Just a matter of resources to create backdoored firmwares to the targeted Macs."
Being able to plant malware at the operating system level makes the flaw easier to exploit than the Thunderstrike vulnerability that was patched in January this year.
Thunderstrike required the use of the Thunderbolt interface to inject rootkits into the EFI at boot up time, a complicated attack vector in comparison.
Vilaça believes Apple is aware of the issue - his testing shows the flaw is not found in the firmware of Macs made after mid 2014. He did not disclose the flaw to Apple.
Testing by iTnews showed that a 2013 MacBook Pro and iMac from the same year appeared to be vulnerable, but not a 2015 MacBook Air or MacBook.
iTnews has asked Apple for comment on the zero-day discovery.
.jpg&h=271&w=480&c=1&s=1)
.png&h=141&w=208&c=1&s=1)
