New Mac Os X Exploit Opens Permanent Backdoors For Hackers

OS X security researcher has discovered a new way to to overwrite the firmware and take control of almost all Macs which are more than a year older. The attack, which Vilaca has posted on his blog, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. Vilaca has written a script to reflash a Mac’s BIOS using functionality contained in userland. Userland is a boot up part of Mac OS where all applications and drivers are executed.  Vilaca’s script works by exploiting vulnerabilities such as those regularly found in Safari and other Web browsers. Ars Technica says that Vilaca’s exploit is is more serious than the Thunderstrike proof-of-concept exploit which was discovered December, 2014.  Like the Thunderstrike vulnerability, Vilaca’s exploit also gives hackers same level of control of a Mac but unlike Thunderstrike which has to be physically installed on a Mac, this exploit can be remotely executed and hackers can remotely gain control of the targeted Mac. Vilaca’s exploit targets the Mac BIOS protection known as FLOCKDN.  Normally, FLOCKDN allows userland apps read-only access to the BIOS region however Vilaca found that the FLOCDN protection is somehow deactivated after Mac wakes from a sleep mode. This bug or gap in processing is used by the exploit to rewrite the BIOS through a process typically known as reflashing. Once the BIOS is reflashed, the potential hackers can modify Mac’s extensible firmware interface (EFI), the firmware responsible for starting a Mac’s system management mode and enabling other low-level functions before loading the OS. Vilaca says that a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack. Vilaca says that a potential hacker could just add a code to send a targeted Mac and execute the exploit the next time the Mac awakes from sleep. Vilaca has confirmed his attack works against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. Macs released after mid 2014 are immune to this kind of attack. Vilaca is not sure of the reason but says that maybe Apple has silently patched the vulnerability or it has been fixed accidentally through some other update. Apple has not yet commented on the vulnerability. The only way to mitigate this vulnerability is to remove the sleep settings of a Mac and keep it awake all the time.