Mac bug makes rootkit injection as easy as falling asleep

Respected Apple hacker Pedro Vilaça has uncovered a low-level zero day vulnerability in Mac computers that allows privileged users to more easily install EFI rootkits.

Vilaça says the attack, first thought to be an extension of previous research rather than separate zero day, took advantage of unlocked flash protections when machines go into sleep mode.

“Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle,” Vilaça says in a post.

“It means that you can overwrite the contents of your BIOS from userland a rootkit EFI without any other tricks other than a suspend-resume cycle, a kernel extension, flashrom, and root access.

“The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access [provided] a suspended happens in the current session … you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage.”

Apple has been contacted for comment.

Flash locks are removed when machines enter a sleep state for about 30 seconds or more, allowing attackers to update the flashrom contents from userland including EFI binaries.

Affected models include the MacBook Pro Retina, and Pro, and MacBook Airs, each running the latest EFI firmware updates.

Some of the latest machines are not affected leading Vilaça to think Apple is aware of the vulnerability.

“If they (Apple) indeed knew about the bug – because I don’t believe it’s a coincidence not working in latest machines – then they keep their pattern of not patching older versions,” he says.

The hacker has some tools that can be used to compare firmware against stock images in a bid to detect compromises, but it is not a complete defense against the attacks.

He says Apple should follow the lead of Google with its Chromebook and attempt to validate the integrity of underlying hardware, not just the software running on top. ®