If this is your first visit, be sure to check out the FAQ by clicking the link above.
You may have to register before you can post: click the register link above to proceed.
To start viewing messages, select the forum that you want to visit from the selection below.
You are here: MacNN Forums
> News
> Mac News
>
Hacking team creates Thunderstrike-based Mac firmware worm
Hacking team creates Thunderstrike-based Mac firmware worm
A new exploit has been developed that could threaten Mac security by leveraging vulnerabilities in firmware rather than software, making the worm nearly impossible to remove. While sounding more ominous than any threat since the original firmware-based Thunderstrike (which was limited to a proof-of-concept with no reported attacks), leading security experts say this new threat is also very low-risk.
Chief among the skeptics is TidBITs security editor Rich Mogull, who tweeted about the firmware attack that while it is "a real issue that needs to be patched and some very interesting research," he believes users should not panic or do anything out of the ordinary, since exploiting the flaw is "much harder" than sensationalist articles -- Mogull specifically names Wired's alarmist report on it -- would have us believe.
Once again, the details of a hack don't warrant the ridiculous hyperbole of a @wired article. It's like watching the local news.
Firmware-based attacks are much harder to fight, since they can be embedded in devices or even Thunderbolt cable controllers and thus self-replicate and resist firmware or software updates, and are easily spread. Following the initial Thunderstrike exploits, the new attack -- dubbed "Thunderstrike 2" -- makes it possible to remotely infect a Mac through a malicious website or email. Since being informed of the vulnerability, Apple has fixed one of the five security flaws, and partially patched a second one -- and is said to be working on correcting the other three vulnerabilities.
Yes, it is a real issue that needs to be patched and some very interesting research. No, it's harder than the article makes it out.
The chief obstacle that is likely to severely limit Thunderstrike 2 from making much inroads in the Mac community is that the flaw still requires a user to install the worm by typing in their admin password -- something most users are unlikely to do, given that simply plugging in a device does not normally trigger a request for such credentials and would be viewed as suspicious. Publicity and articles such as this one also educate the community to be on guard against the risk, minimizing infections while a permanent fix is implemented.
Apple will likely also adapt its built-in malware detector, XProtect, to block the firmware install request in the first place. The software, built into Snow Leopard and later versions of the OS, is silently updated by Apple to guard against publicized threats such as Thunderstrike, which has played a role in the extremely low incidence of malware attacks on most users who don't actively defeat such efforts.
Xeno Kovah of LegbaCore, one of the co-creators of the new threat, defended the action as "using our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security," saying that Apple had not done enough to fix vulnerabilities the company had been previously notified about.
You have to enter your name and password for it to do anything bad. If that's an allowed vector for malware. writing software to do bad things is pretty darned easy. Once a name and password is entered, you can do virtually anything on a machine. Not much of a threat!
"given that simply plugging in a device does not normally trigger a request for such credentials and would be viewed as suspicious" You have to remember that Windows users are coming over to the Mac side and plugging in a peripheral regularly generates a message asking to install something. These types of alerts would be viewed as normal by them. With all the Adobe updates, too many people are getting comfortable entering their admin password way too many times. Veteran Mac users don't do this but not everyone is a veteran or knows enough about what's going on to not enter their password. This is my biggest concern with the proliferation of new Mac users.
prl99: good point, and something we hope this article will reinforce: be judicious with your admin password, and only apply it when you know exactly why it is being asked for.
Also, if this only affects the Thunderbolt port, most of these 'newbie' users aren't going to be using it anyway. Still, it needs to be fixed, as prl99 points out, average or new users might well be fooled by such a request.