A new vulnerability -- albeit one that is extremely unlikely to happen "in the wild" -- has been discovered by security researcher Pedro Vilaca, where a flaw in pre-2014 Macs
could conceivably allow an attacker access to a portion of OS X that has access to the Mac's Open Firmware
and EFI (what PC users might call the BIOS of the machine) and possibly exploit other vulnerabilities to perhaps overwrite it with malicious firmware.
The vulnerability occurs on pre-2014 Macs immediately after the computers wake from sleep. Vilaca discovered that a protection mechanism known as FlockDN that normally shields Open Firmware from access by "userland"
apps -- the part of OS X where installed applications and drivers are executed -- is deactivated when an older Mac wakes from sleep, leaving the firmware open to potential attack, including a possible "reflashing" (rewriting the firmware) or other malicious modifications.
The threat is considered more serious than other recent exploits because it could be executed remotely, but it must be stressed that the odds of this happening outside a dedicated proof-of-concept demonstration or targeted attack is extremely low. Even if an attacker could use the flaw to reach into Open Firmware, they would need to also have an exploit that allowed for completely unrestricted "root" access to OS X resources, which don't appear to currently exist (though are not outside the realm of possibility, as the recent "Thunderstrike" exploit -- which, unlike this new flaw, requires physical access to the machine, have shown).
The fact that Macs from 2014 and newer appear to have addressed the vulnerability hints that Apple could be aware of the flaw, though it is also possible that the problem was fixed accidentally in various sleep patches
. Those with older machines can avoid the remote possibility of an issue with some future developed exploit of the flaw by simply turning off the ability of the affected Macs to go into system sleep (as distinct from simple display sleep, which does not trigger the vulnerability in Open Firmware).
The new potential vulnerability is the latest in a series of recently-discovered exploits that take advantage of flaws in firmware or hardware such as Rootpipe
. Apple, Vilaca said, is in a strong position to guard against such vulnerabilities compared to other companies, as it controls both its hardware and software/firmware chain. ""We need to think different and start a trust chain from hardware to software." he wrote in his documentation of the potential exploit.
"Everyone is trying to solve problems starting from software when the hardware is built on top of weak foundations. Apple has a great opportunity here ... I hope they finally see the light and take over this great opportunity."