Thunderstrike Patch Slated for New OS X Build

In addition to patching the three Project Zero vulnerabilities disclosed last week, Apple is apparently readying a fix for the Thunderstrike boot attack as well, something that will purportedly rid all Macs running Yosemite of the issue.

In addition to patching the three Project Zero vulnerabilities disclosed last week, Apple is apparently readying a fix for the Thunderstrike boot attack as well, something that will purportedly rid all Macs running Yosemite of the issue.

All of the vulnerabilities have reportedly been fixed in Yosemite 10.10.2, the next build of the OSX, currently in beta and due for release soon.

iMore.com, an Apple news site, reported on Friday that Apple had to change the code “to not only prevent the Mac’s boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again.”

“According to people with access to the latest beta of OS X 10.10.2, who are familiar with Thunderstrike and how it works, that’s exactly the deep, layered process that’s been completed,” the publication wrote.

The pre-release testing of the new Yosemite build has been circulating for months but the most recent beta version, 10.10.2 (Build 14C106a), was seeded to users last Thursday.

Last week we learned that the beta also addresses the three vulnerabilities previously dug up by Google’s Project Zero. The bugs run the gamut from memory corruption to kernel code execution and even a sandbox escape. While they were first reported to Apple in October, Project Zero’s disclosures come with a 90 day window and the bugs began expiring last week.

Thunderstrike, an undetectable bootkit, can mostly be propagated via malicious devices connected to Apple’s Thunderbolt’s input/output. Details around the exploit were first divulged by New York-based security researcher Trammel Hudson shortly after the New Year at the 31st Chaos Communication Congress (31C3), a security conference in Hamburg, Germany.

Hudson has previously warned the bootkit could persist, lead to root access, and put all data and web traffic on infected machines at risk of interception.

While Apple has fixed the issue in its 2014 Mac Mini and iMac Retina 5K computers, at least until the patch is fully deployed, MacBooks will remain vulnerable as they’re subject to downgrade attacks.

When reached Monday Hudson claimed he hasn’t had time to review the beta release yet but expressed an air of skepticism.

Hudson confirmed that the version he tested while in Hamburg, MBP101_00EE_B06, was subject to those same downgrade attacks. Hudson says he demonstrated the issue, which could allow an attacker to run an older firmware vulnerable to Thunderstrike, to officials from Apple at the time.

Hudson added that the same build, B06 was also subject to normal Option ROM attacks, something that “really puzzles” the researcher, as it’s the same type of attack that Thunderstrike used to insert peripheral firmware into the EFI to disrupt the machine.

This means that many of Thunderstrike’s symptoms could still be present.

“Firmware passwords can easily be bypassed and, as demonstrated by Snare over two and a half years ago, boot.efi backdoored, etc,” Hudson said.

It was the Australian security researcher and pen tester Snare whose research first prompted Hudson to look into this project. Snare demonstrated at Black Hat in 2012 (.PDF) how a rootkit, using a modified Thunderbolt to Ethernet adapter, could take down FileVault and manipulate a machine’s EFI.

Suggested articles