Symantec has confirmed the existence of a critical vulnerability affecting most Apple Mac models that could enable attackers to overwrite firmware and gain persistent root access to the computer.
The Apple Mac OS X EFI Firmware Security Vulnerability was disclosed last week by security researcher Pedro Vilaca, who discovered that a flawed energy conservation implementation left flash protections unlocked on the affected Macs after they woke up from sleep mode. This means that an attacker can reflash the computer’s firmware to install Extensible Firmware Interface (EFI) rootkit malware.
Analysis by Symantec has confirmed the existence of this vulnerability by replicating the exploit as described. This vulnerability is rated as critical since it can provide an attacker with persistent root access to a computer that may survive any disk wipe or operating system reinstallation.
The vulnerability could be remotely exploited by an attacker if used in conjunction with another exploit that provided root access. While such vulnerabilities are not widespread, they do emerge from time to time. Once an attacker has root access, the only condition required for successful exploit is that the computer enter sleep mode.
There have been no reports of this vulnerability being exploited in the wild, however the likelihood of attacks will increase as news spreads.
Affected Macs
Initial reports indicate that all but the latest 2015 models of Mac appear to be affected by the vulnerability.
Symantec has, to date, tested four different Mac computers. The following computers were found to be vulnerable:
- Mac Mini 5.1
- MacBook Pro 9.2
The following computers were not affected:
- MacBook Pro 11.3
- MacBook Air 6.2
Vilaca found the following computers to be vulnerable:
- MacBook Pro Retina 10.1
- MacBook Pro 8.2
- MacBook Air 5.1
- Mac Pro 9.1
Mitigation
Until a patch for the vulnerability is issued, users who are concerned about being targeted are advised to shut down their computers instead of using sleep mode.
Affected Mac users are advised to keep their software up to date since remote exploit of this vulnerability needs to be performed in conjunction with another vulnerability that will provide remote root access. Updating software will prevent attacks using known exploits.
Analysis of this vulnerability is ongoing and further updates may be published if new information is uncovered.