Researchers Create First Firmware Worm that Can Infect Macs

It was reported Monday that the first firmware worm that is able to infect Macs called “Thunderstrike 2” has been created by researchers.

According to Wired, “An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious website. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM … and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.”

While Macs don’t get viruses or worms, etc. just from visiting the wrong website – they are vulnerable when you download and then install something. And this makes it simple – don’t download and install applications (which require user password root access to install) that come from unknown, untrusted, non-verifiable sources.

“Free” can be downright damaging. And now it can be damaging to others. A device connected to a compromised system can itself be compromised and turned into a transmission device to spread this kind of worm exploit without any indication or password access with just the compromised device being connected to a system. It still takes that “patient zero” to do so, though.

The researchers have notified Apple of the vulnerabilities, and the company has patched one and partially patched another with three of the vulnerabilities remaining unpatched as of now.

With that said, Apple needs to close these open doors without further delay. The greatest risk for the potential spread via Thunderbolt susceptibility is to those in media and entertainment/production industries that are frequently swapping external drives between systems and sending work out on such solutions.

This is certainly something to be wary of… but it is an avoidable something.


LEAVE A COMMENT


  • Also, is this even something that is out there or just a hacker’s proof of concept?




  • So, as far as spreading the thing, this looks to me like it is, firstly, only if you have an external device connected with “option ROM”, so this seems to be specific to Thunderbolt connected PCIe-type devices? So, older Macs that don’t have Thunderbolt ports are not susceptible? And, many Mac owners do not have a device with “option ROM” or even know what that is.

    I’ve seen this all over the internet, more of a scare tactic, as, even this article, which is much better than others I have read, still seems incomplete.

    I think we need further explanation.