Two Major Mac OS X Vulnerabilities Bring Apple Security Approach Under Scrutiny

Researchers find exploit for previously known vulnerability and create firmware worm that can spread without physical network

Apple has been accused of not doing enough to protect Mac OS X users by security researchers following the discovery of an exploit being exploited in the wild and the creation of a worm which can overwrite a Mac’s firmware.

Researchers at Malwarebytes have found adware that exploits a previously known privilege escalation flaw to install itself in a user’s computer.

The DYLD_PRINT_TO_FILE vulnerability was first made public by Stefan Esser in July, but he says although the bug has been fixed in beta versions of the upcoming OS X El Capitan, Apple has neglected to provide a patch for commercially available versions of OS X Yosemite.

Known exploit

MacBook 1“So Apple was informed about said bug months ago and as usual did the irresponsible to fix it for some beta half a year in the future only,” he tweeted.

Malwarebytes is critical of Esser’s decision to go public, but also of Apple for not acting on his findings.

“This is obviously very bad news,” said Thomas Reed, a Mac security expert at the company. “Apple has evidently known about this issue for a while now – not due to Esser, but thanks to a responsible researcher going by the Twitter handle @beist, who had alerted Apple some time before Esser discovered the bug. Unfortunately, Apple has not yet fixed this problem, and now it is beginning to bear fruit.”

“Worse, there is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.”

It is understood however that a patch will be issued in Mac OS X Yosemite 10.10.5, but the damage to Apple’s security repuation could be set to take another hit.

Thunderstrike 2

Researchers are set to reveal a new firmware exploit at the Black Hat Conference in Las Vegas known as ‘Thunderstrike 2’. The original Thunderstrike was discovered earlier this year, and could install malware onto a system’s firmware, making it undetectable to anti-virus software.

Once installed, it could spy on users and steal information. However it required an attacker to physically connect a malicious Thunderbolt device in order to infect a Mac.

The exploit was discovered by Trammell Hudson, a security engineer with Two Sigma Investments, who has teamed up with Xeno Kovah, security engineer with firmware security consultancy LegbaCore to create a worm that can spread from Mac to Mac without the need to be physically networked.

Thunderstrike 2 can remotely target systems with a malicious email and if downloaded will automatically infect connected accessories, which will then spread the worm to any other Mac it is connected to. The researchers say the worm could be installed at a factory level or by selling dodgy peripherals on the Internet.

Again, experts say the threat is limited given the difficulty in creating and spreading such a worm, but again, there is a belief Apple could be doing more.

Apple scrutiny

Apple platforms like Mac OS and iOS are traditionally seen as more secure than Windows and Android, but these latest discoveries and a perceived lack of action taken by the Cupertino-based company have put its approach in the spotlight.

“The means to build a firmworm like this are certainly not within the capability of many attackers, but nonetheless it’s clearly important that Apple patches the security holes that allow such attacks to take place at the earliest possible opportunity — before a malicious attacker tries to take advantage of them,” said security expert Graham Cluley. “There are some very smart people out there who are very good at finding vulnerabilities in Apple’s software.

“The good news is that some of them aren’t in the business of exploiting the vulnerabilities for criminal commercial gain, and aren’t in the pocket of foreign governments and intelligence agencies. The really bad news is that Apple isn’t doing enough to work with these researchers, and could be doing much more to ensure that their discoveries are only made public when a fix is available.

“Other technology companies are offering sizeable bug bounties to researchers who work with them to uncover security holes, whereas Apple — one of the richest companies in the world — doesn’t even bother to dangle the carrot of a $10 iTunes voucher, preferring to name bug reporters on a ‘hall of fame’ page instead.”

Are you a security pro? Try our quiz!