Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Hacking team creates Thunderstrike-based Mac firmware worm

Hacking team creates Thunderstrike-based Mac firmware worm
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Aug 3, 2015, 02:53 PM
 
A new exploit has been developed that could threaten Mac security by leveraging vulnerabilities in firmware rather than software, making the worm nearly impossible to remove. While sounding more ominous than any threat since the original firmware-based Thunderstrike (which was limited to a proof-of-concept with no reported attacks), leading security experts say this new threat is also very low-risk.

Chief among the skeptics is TidBITs security editor Rich Mogull, who tweeted about the firmware attack that while it is "a real issue that needs to be patched and some very interesting research," he believes users should not panic or do anything out of the ordinary, since exploiting the flaw is "much harder" than sensationalist articles -- Mogull specifically names Wired's alarmist report on it -- would have us believe.



Firmware-based attacks are much harder to fight, since they can be embedded in devices or even Thunderbolt cable controllers and thus self-replicate and resist firmware or software updates, and are easily spread. Following the initial Thunderstrike exploits, the new attack -- dubbed "Thunderstrike 2" -- makes it possible to remotely infect a Mac through a malicious website or email. Since being informed of the vulnerability, Apple has fixed one of the five security flaws, and partially patched a second one -- and is said to be working on correcting the other three vulnerabilities.



The chief obstacle that is likely to severely limit Thunderstrike 2 from making much inroads in the Mac community is that the flaw still requires a user to install the worm by typing in their admin password -- something most users are unlikely to do, given that simply plugging in a device does not normally trigger a request for such credentials and would be viewed as suspicious. Publicity and articles such as this one also educate the community to be on guard against the risk, minimizing infections while a permanent fix is implemented.

Apple will likely also adapt its built-in malware detector, XProtect, to block the firmware install request in the first place. The software, built into Snow Leopard and later versions of the OS, is silently updated by Apple to guard against publicized threats such as Thunderstrike, which has played a role in the extremely low incidence of malware attacks on most users who don't actively defeat such efforts.

Xeno Kovah of LegbaCore, one of the co-creators of the new threat, defended the action as "using our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security," saying that Apple had not done enough to fix vulnerabilities the company had been previously notified about.

     
bjojade
Junior Member
Join Date: Jun 2007
Status: Offline
Reply With Quote
Aug 3, 2015, 05:48 PM
 
You have to enter your name and password for it to do anything bad. If that's an allowed vector for malware. writing software to do bad things is pretty darned easy. Once a name and password is entered, you can do virtually anything on a machine. Not much of a threat!
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Aug 3, 2015, 06:22 PM
 
"given that simply plugging in a device does not normally trigger a request for such credentials and would be viewed as suspicious" You have to remember that Windows users are coming over to the Mac side and plugging in a peripheral regularly generates a message asking to install something. These types of alerts would be viewed as normal by them. With all the Adobe updates, too many people are getting comfortable entering their admin password way too many times. Veteran Mac users don't do this but not everyone is a veteran or knows enough about what's going on to not enter their password. This is my biggest concern with the proliferation of new Mac users.
     
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Aug 3, 2015, 07:11 PM
 
prl99: good point, and something we hope this article will reinforce: be judicious with your admin password, and only apply it when you know exactly why it is being asked for.
Charles Martin
MacNN Editor
     
Steve Wilkinson
Senior User
Join Date: Dec 2001
Location: Prince George, BC, Canada
Status: Offline
Reply With Quote
Aug 4, 2015, 04:57 AM
 
Also, if this only affects the Thunderbolt port, most of these 'newbie' users aren't going to be using it anyway. Still, it needs to be fixed, as prl99 points out, average or new users might well be fooled by such a request.
------
Steve Wilkinson
Web designer | Christian apologist
cgWerks | TilledSoil.org
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 07:49 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,