Jan 19, 2017 Apple patches Mac OS for retro and stealthy 'Fruitfly' malware. Apple has quietly issued a security fix for a new yet retro-looking malware sample recently found on a Mac machine sitting in a.
An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study released Friday has concluded.
The exposure results from known vulnerabilities that remain in the Extensible Firmware Interface, or EFI, which is the software located on a computer motherboard that runs first when a Mac is turned on. EFI identifies what hardware components are available, starts those components up, and hands them over to the operating system. Over the past few years, Apple has released updates that patch a host of critical EFI vulnerabilities exploited by attacks known as Thunderstrike and ThunderStrike 2, as well as a recently disclosed CIA attack tool known as Sonic Screwdriver.An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. Forty-seven Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version.
Hard to detect (almost) impossible to disinfect
- Stealthy allows you to see blocked websites from a click of a button. Offered by stealthy.co (1599) 100,000+ users. Stealthy allows you to see.
- Opinion: Apple could be waiting for the release of Mac OS X Leopard to tout its credentials for business customers. But Windows switchers appear to be raising the Mac flag already in the enterprise.
- Assuming you have the Blade Stealth 13 2018 this guide will get you to a pretty good hackintosh. One thing to note is that sleep doesn't really work with the brightness patch but YMMV 2.
Attacks against EFI are considered especially potent because they give attackers control that starts with the very first instruction a Mac receives. What's more, the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS or the apps that run on it. That means an attacker who compromises a computer's EFI can bypass higher-level security controls, such as those built into the OS or, assuming one is running for extra protection, a virtual machine hypervisor. An EFI infection is also extremely hard to detect and even harder to remedy, as it can survive even after a hard drive is wiped or replaced and a clean version of the OS is installed.
Advertisement'As the pre-boot environment becomes increasingly like a full OS in and of its own, it must likewise be treated like a full OS in terms of the security support and attention applied to it,' Duo Security researchers wrote in a whitepaper outlining their research. Referring to the process of assuring the quality of a release, the researchers added: 'This attention goes beyond just releasing well QA'd EFI patches—it extends to the use of appropriate user and admin notifications to message the security status of the firmware alongside easy-to-apply remedial actions.'
Duo Security warned that the problem of out-of-date pre-boot firmware for computers running Windows and Linux may be even worse. Whereas Apple is solely responsible for supplying the motherboards that go into Macs, there are a wide number of manufacturers supplying motherboards for Windows and Linux machines, with each manufacturer providing vastly different families of firmware. Duo Security focused on Macs because Apple's control over the entire platform made such an analysis much more feasible and because they provided an indication of how pre-boot firmware is faring across the entire industry.
In an e-mailed statement, Apple officials wrote: 'We appreciate Duo's work on this industry-wide issue and noting Apple's leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we're always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.'
Apple didn't respond to a followup question asking how the weekly firmware validation measure works in the just-released High Sierra version of macOS. The new macOS version introduces a feature called eficheck, but Duo Security researchers said they have found no evidence it warns users when they're running out-of-date EFI versions, as long as they're official ones from Apple. Instead, eficheck appears only to check if EFI firmware was issued by someone other than Apple.The research comes two years after Apple overhauled the way it delivers firmware updates. Since 2015, Apple has bundled software and firmware updates in the same release in an effort to ensure users automatically install all available security fixes. Prior to the change, Apple distributed EFI updates separately from OS and application updates. Further complicating the old process, firmware updates required users to install them by first booting into a dedicated EFI firmware mode.
AdvertisementThe Duo Security research indicates that the new firmware patching regimen has multiple problems of its own. In some cases, entire Mac model categories aren't receiving firmware updates at all. In other cases, Mac models receive an EFI update with a version that's earlier than the one that's currently installed. The error results in no update being installed, since a Mac's EFI system will automatically reject updates that try to roll back to earlier versions. In other cases, Macs don't get updated for reasons Duo Security wasn't able to determine.
Attacks on the bleeding edge
People with out-of-date EFI versions should know that pre-boot firmware exploits are currently considered to be on the bleeding edge of computer attacks. They require large amounts of expertise, and, in many—but not all—cases, they require brief physical access to the targeted computer. This means that someone who uses a Mac for personal e-mail, Web browsing, and even online banking probably isn't enough of a high-profile user to be targeted by an attack this advanced. By contrast, journalists, attorneys, and people with government clearances may want to include EFI attacks in their threat modeling.
Duo Security is releasing a free tool it's calling EFIgy that makes it easy to check whether a Mac is running an EFI version with a known vulnerability. It's available for download here. For people using Windows and Linux computers, the process for verifying they have the most up-to-date UEFI version isn't nearly as simple. Windows users can open a command prompt with administrative rights and type 'wmic BIOS get name, version, serialnumber' and then compare the result with what's recommended by the hardware manufacturer. Finding the UEFI version on a Linux computer varies from distribution to distribution. In some cases, out-of-date firmware can be updated. For older computers, the best course of action may be to retire the machine. A blog post accompanying the whitepaper is here.
Stealthy Mac Os Download
Duo Security's research exposes a security blind spot in the Mac world that almost certainly extends well into the Windows and Linux ecosystems as well. Forbis mac os. Now that the findings have gone public and a much larger sample of Macs can be tested, the world will be able to get a better idea how widespread the problem really is. Getting a clearer picture on how Windows and Linux systems are affected will take more time.
Post updated in the eighth paragraph to add details about eficheck.
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.
Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.
Stealthy Mac Os Update
AdvertisementReasonably serious threat
Duo Security is releasing a free tool it's calling EFIgy that makes it easy to check whether a Mac is running an EFI version with a known vulnerability. It's available for download here. For people using Windows and Linux computers, the process for verifying they have the most up-to-date UEFI version isn't nearly as simple. Windows users can open a command prompt with administrative rights and type 'wmic BIOS get name, version, serialnumber' and then compare the result with what's recommended by the hardware manufacturer. Finding the UEFI version on a Linux computer varies from distribution to distribution. In some cases, out-of-date firmware can be updated. For older computers, the best course of action may be to retire the machine. A blog post accompanying the whitepaper is here.
Stealthy Mac Os Download
Duo Security's research exposes a security blind spot in the Mac world that almost certainly extends well into the Windows and Linux ecosystems as well. Forbis mac os. Now that the findings have gone public and a much larger sample of Macs can be tested, the world will be able to get a better idea how widespread the problem really is. Getting a clearer picture on how Windows and Linux systems are affected will take more time.
Post updated in the eighth paragraph to add details about eficheck.
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.
Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.
Stealthy Mac Os Update
AdvertisementReasonably serious threat
'Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice,' Red Canary researchers wrote in a blog post published on Friday. 'Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.'
Silver Sparrow comes in two versions—one with a binary in mach-object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below offers a high-level overview of the two versions:
So far, researchers haven't seen either binary do much of anything, prompting the researchers to refer to them as 'bystander binaries.' Curiously, when executed, the x86_64 binary displays the words 'Hello World!' while the M1 binary reads 'You did it!' The researchers suspect the files are placeholders to give the installer something to distribute content outside the JavaScript execution. Apple has revoked the developer certificate for both bystander binary files.
Silver Sparrow is only the second piece of malware to contain code that runs natively on Apple's new M1 chip. An adware sample reported earlier this week was the first. Native M1 code runs with greater speed and reliability on the new platform than x86_64 code does because the former doesn't have to be translated before being executed. Many developers of legitimate macOS apps still haven't completed the process of recompiling their code for the M1. Silver Sparrow's M1 version suggests its developers are ahead of the curve.Once installed, Silver Sparrow searches for the URL the installer package was downloaded from, most likely so the malware operators will know which distribution channels are most successful. In that regard, Silver Sparrow resembles previously seen macOS adware. It remains unclear precisely how or where the malware is being distributed or how it gets installed. The URL check, though, suggests that malicious search results may be at least one distribution channel, in which case, the installers would likely pose as legitimate apps.
AdvertisementStealthy Mac Os Catalina
An Apple spokesperson provided a comment on the condition they not be named and the comment not be quoted. The statement said that after finding the malware, Apple revoked the developer certificates. Apple also noted there's no evidence of a malicious payload being delivered. Last, the company said it provides a variety of hardware and software protections and software updates and that the Mac App Store is the safest venue to obtain macOS software.
Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That's a significant achievement.
'To me, the most notable [thing] is that it was found on almost 30K macOS endpoints.. and these are only endpoints the MalwareBytes can see, so the number is likely way higher,' Patrick Wardle, a macOS security expert, wrote in an Internet message. 'That's pretty widespread.. and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple's best efforts.'
For those who want to check if their Mac has been infected, Red Canary provides indicators of compromise at the end of its report.
