Thursday, August 06, 2015
Is Thunderstrike 2 still a threat despite Apple patch?
Thunderstrike shook the Apple fraternity earlier in the year when it claimed to be able to exploit a vulnerability in the 'Option ROM' to infect any Mac if an exploited Thunderbolt accessory was connected at boot. That Mac could then infect other Thunderbolt accessories, and so the circle continues. This was patched in OS X 10.10.2, or so it seemed until Thunderstrike 2 emerged from the shadows. Trammell Hudson, along with two other researchers, then discovered what they call Thunderstrike 2 which adds a virus into the modified Option ROM firmware which they call a 'firmworm' – a rootkit that uses Thunderbolt hardware to infect Mac firmware and then spread by way of email and infected websites. According to Trammell Hudson, Thunderstrike 2 was only partially fixed with the release of the Max EFI Security Update 2015-001 in June. What this means, Hudson says, is that systems running OS X 10.10.4 and higher are "no longer trivially vulnerable" which has to be a good thing. A better thing would be that they were not vulnerable at all, especially when you consider that your average bad guy is not beyond the rolling up of sleeves to get at the booty! With the latest patch applied, it's still possible for Thunderstrike 2 to write to option ROMs and spread to new machines, as well as to persist in the S3 resume script until the next full reboot.