Apple Mac OSX Zero Day Bug Allows Hackers to install Rootkit Malware

A zero-day software vulnerability discovered deep in the firmware of many Apple computers could allows an attacker to modify the system’s BIOS and install a rootkit, potentially gaining complete control of the victim’s Mac.

The critical vulnerability, discovered by well-known OS X security researcher Pedro Vilaca, affects Mac computers shipped before mid-2014 that are allowed to go into sleep mode.

UEFI is a low-level firmware designed to improve upon computer’s BIOS, which links a computer's hardware and operating system at startup and is typically not accessible to users.

Vilaca found that the machine’s UEFI code can be unlocked after a computer is put to sleep and then brought back up.

"And you ask, what the hell does this mean?" Vilaca wrote in a blog post published Friday. "It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access."

With the help of various vulnerabilities regularly found in Safari and other Web browsers, it is possible for an attacker to install a rootkit, a malware type that is hard to remove and almost undetectable by security solutions.

Only Solution -- Don’t let your Computer SLEEP

The only defense users can do to not let their computers go into sleep mode and always shut it down, according to Vilaca.

The attack is somewhat similar to Thunderstrike disclosed late last year by researchers named Trammel Hudson that allowed modification of the UEFI by accessing a peripheral device connected to the Mac's Thunderbolt port.

While both the attacks give attackers the same control over a vulnerable Mac, Vilaca claims that his exploit is more dangerous, as it could be possible to exploit remotely the bug, without need of brief physical access as Thunderstrike proof-of-concept exploit did.

"The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access."