Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.sys.mac.system > #78390 > unrolled thread

Researchers Create First Firmware Worm That Attacks Macs

Back to article view | Back to comp.sys.mac.system

Contents

  Researchers Create First Firmware Worm That Attacks Macs billy@MIX.COM - 2015-08-04 13:28 +0000
    Re: Researchers Create First Firmware Worm That Attacks Macs Davoud <star@sky.net> - 2015-08-04 09:54 -0400
      Re: Researchers Create First Firmware Worm That Attacks Macs Jerry Bishop <jerry.bishop@nowhere.nohow.com> - 2015-08-04 10:24 -0400
        Re: Researchers Create First Firmware Worm That Attacks Macs Barry Margolin <barmar@alum.mit.edu> - 2015-08-04 10:54 -0400
          Re: Researchers Create First Firmware Worm That Attacks Macs Jerry Bishop <jerry.bishop@nowhere.nohow.com> - 2015-08-04 13:15 -0400
            Re: Researchers Create First Firmware Worm That Attacks Macs nospam <nospam@nospam.invalid> - 2015-08-04 13:24 -0400
              Re: Researchers Create First Firmware Worm That Attacks Macs Jerry Bishop <jerry.bishop@nowhere.nohow.com> - 2015-08-04 14:04 -0400
                Re: Researchers Create First Firmware Worm That Attacks Macs Electric Comet <electric-comet@mail.invalid> - 2015-08-07 12:49 -0700
            Re: Researchers Create First Firmware Worm That Attacks Macs gtr <xxx@yyy.zzz> - 2015-08-04 11:26 -0700
            Re: Researchers Create First Firmware Worm That Attacks Macs Electric Comet <electric-comet@mail.invalid> - 2015-08-07 12:47 -0700
        Re: Researchers Create First Firmware Worm That Attacks Macs Davoud <star@sky.net> - 2015-08-04 23:20 -0400
        Re: Researchers Create First Firmware Worm That Attacks Macs Electric Comet <electric-comet@mail.invalid> - 2015-08-07 12:42 -0700
          Re: Researchers Create First Firmware Worm That Attacks Macs Don Bruder <dakidd@sonic.net> - 2015-08-07 13:37 -0700
            Re: Researchers Create First Firmware Worm That Attacks Macs Your Name <YourName@YourISP.com> - 2015-08-08 10:32 +1200
          Re: Researchers Create First Firmware Worm That Attacks Macs Michelle Steiner <michelle@michelle.org> - 2015-08-07 15:17 -0700
      Re: Researchers Create First Firmware Worm That Attacks Macs Electric Comet <electric-comet@mail.invalid> - 2015-08-04 10:55 -0700
        Re: Researchers Create First Firmware Worm That Attacks Macs gtr <xxx@yyy.zzz> - 2015-08-05 08:34 -0700
    Re: Researchers Create First Firmware Worm That Attacks Macs Jolly Roger <jollyroger@pobox.com> - 2015-08-04 16:43 +0000
    Re: Researchers Create First Firmware Worm That Attacks Macs Jolly Roger <jollyroger@pobox.com> - 2015-08-04 16:46 +0000

#78390 — Researchers Create First Firmware Worm That Attacks Macs

http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/

| THE COMMON WISDOM when it comes to PCs and Apple computers is
| that the latter are much more secure.  Particularly when it comes
| to firmware, people have assumed that Apple systems are locked down
| in ways that PCs aren't.
|
| It turns out this isn't true.  [...]

Billy Y..
-- 
        sub     #'9+1   ,r0             ; convert ascii byte
	add     #9.+1   ,r0             ; to an integer
	bcc     20$                     ; not a number

[toc] | [next] | [standalone]

#78391

<billy@MIX.COM>:

Another "proof of concept." No meaning in the real world.

"The worm will not work with the latest version of Apple software,
according to a person with knowledge of the issue." -- Washington Post

-- 
I agree with almost everything that you have said and almost everything that
you will say in your entire life.

usenet *at* davidillig dawt cawm

[toc] | [prev] | [next] | [standalone]

#78392

On 2015-08-04 13:54:37 +0000, Davoud said:

> <billy@MIX.COM>:
> 
> Another "proof of concept." No meaning in the real world.
> 
> "The worm will not work with the latest version of Apple software,
> according to a person with knowledge of the issue." -- Washington Post

Nice job cherry-picking a quote.  Here is the entire, two-sentence 
paragraph from the Washington Post article:

"Wired also reported that the researchers notified Apple of the 
firmware vulnerabilities that affect Macs and that the company has 
patched some, but not all, of the issues. The worm will not work with 
the latest version of Apple software, according to a person with 
knowledge of the issue."

So what the article's author should have said was "*This* worm will not 
work with the latest version of Apple *firmware*".

Other worms can be written that do work with the latest firmware 
because Apple did not fix all the vulnerabilities nor did it introduce 
signing of the firmware itself to prevent tampering.  By the way, I 
just recently read an article praising Apple's computers for their 
relative longevity compared to the plastic crap produced for most PCs 
(something to which I can attest, since I have a few old Macs still 
running and not one old Dell left -- out of many -- that boots).  So 
there is a lot of old, unpatched and unpatchable Mac firmware out there 
ripe for the picking.

I love my MacBook, but devotees of Apple need to stop trying to swat 
away hornets like they were gnats.  They are going to get stung.

I have to wonder if this concept of a firmware worm can be applied to 
an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
web-site drive-by or phishing email, that could be scary, indeed.

Jerry

[toc] | [prev] | [next] | [standalone]

#78394

In article <55c0cb29$0$46982$c3e8da3$aae71a0a@news.astraweb.com>,
 Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:

> On 2015-08-04 13:54:37 +0000, Davoud said:
> 
> > <billy@MIX.COM>:
> > 
> > Another "proof of concept." No meaning in the real world.
> > 
> > "The worm will not work with the latest version of Apple software,
> > according to a person with knowledge of the issue." -- Washington Post
> 
> Nice job cherry-picking a quote.  Here is the entire, two-sentence 
> paragraph from the Washington Post article:
> 
> "Wired also reported that the researchers notified Apple of the 
> firmware vulnerabilities that affect Macs and that the company has 
> patched some, but not all, of the issues. The worm will not work with 
> the latest version of Apple software, according to a person with 
> knowledge of the issue."
> 
> So what the article's author should have said was "*This* worm will not 
> work with the latest version of Apple *firmware*".

What's the difference between "the worm" and "this worm"? If they had 
written "worms" you would have a point. But "the" is a definite article, 
referring to the worm previously mentioned, not all worms in general.

And no one with any knowledge about computer security would expect any 
fix to protect against ALL future exploits. They can only fix 
vulnerabilities they know about, and try to design things securely in 
general. But there will always be unknowns that you have to deal with 
later. Claiming that something is perfectly secure is like claiming that 
a program has no bugs -- it's either a lie or self-delusion.

I thought there was something posted last year about this. But I looked 
back, and it was just a general discussion of firmware worms that could 
spread through USB, but Macs weren't mentioned.

> 
> I have to wonder if this concept of a firmware worm can be applied to 
> an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
> web-site drive-by or phishing email, that could be scary, indeed.

I'm pretty sure the worm being described in the article can't be 
delivered over the network. It requires you to attach a Thunderbolt 
device that contains the exploit code.

More generally, firmware can only be updated by privileged code. These 
worms take advantage of the fact that the system automatically installs 
drivers that are on Thunderbolt and USB devices, and this installation 
runs in privileged mode. Web browsers are not so privileged -- when you 
download an application, you have to install it using a separate step 
that requires you to enter a password.

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

[toc] | [prev] | [next] | [standalone]

#78405

On 2015-08-04 14:54:45 +0000, Barry Margolin said:

> In article <55c0cb29$0$46982$c3e8da3$aae71a0a@news.astraweb.com>,
>  Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:
> 
>> On 2015-08-04 13:54:37 +0000, Davoud said:
>> 
>>> <billy@MIX.COM>:
>>> 
>>> Another "proof of concept." No meaning in the real world.
>>> 
>>> "The worm will not work with the latest version of Apple software,
>>> according to a person with knowledge of the issue." -- Washington Post
>> 
>> Nice job cherry-picking a quote.  Here is the entire, two-sentence
>> paragraph from the Washington Post article:
>> 
>> "Wired also reported that the researchers notified Apple of the
>> firmware vulnerabilities that affect Macs and that the company has
>> patched some, but not all, of the issues. The worm will not work with
>> the latest version of Apple software, according to a person with
>> knowledge of the issue."
>> 
>> So what the article's author should have said was "*This* worm will not
>> work with the latest version of Apple *firmware*".

...

> And no one with any knowledge about computer security would expect any
> fix to protect against ALL future exploits. They can only fix
> vulnerabilities they know about, and try to design things securely in
> general. But there will always be unknowns that you have to deal with
> later. Claiming that something is perfectly secure is like claiming that
> a program has no bugs -- it's either a lie or self-delusion.

Sure, we can not expect anyone to fix the unknowns, however the quote 
clearly stated that Apple failed to fix all of the known 
vulnerabilities.

> 
>> 
>> I have to wonder if this concept of a firmware worm can be applied to
>> an iPhone or iPad, too.  If, in fact, the worm can be delivered by a
>> web-site drive-by or phishing email, that could be scary, indeed.
> 
> I'm pretty sure the worm being described in the article can't be
> delivered over the network. It requires you to attach a Thunderbolt
> device that contains the exploit code.

> More generally, firmware can only be updated by privileged code. These
> worms take advantage of the fact that the system automatically installs
> drivers that are on Thunderbolt and USB devices, and this installation
> runs in privileged mode. Web browsers are not so privileged -- when you
> download an application, you have to install it using a separate step
> that requires you to enter a password.

According to the original Wired article that the WaPo was using as a source:

"An attacker could first remotely compromise the boot flash firmware on 
a MacBook by delivering the attack code via a phishing email and 
malicious web site. That malware would then be on the lookout for any 
peripherals connected to the computer that contain option ROM, such as 
an Apple Thunderbolt Ethernet adapter, and infect the firmware on 
those. The worm would then spread to any other computer to which the 
adapter gets connected."

	-- 
http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/ 


There are known (and most probably, unknown -- to Apple and us, anyway) 
privilege-escalation attacks that can be used by the exploit in the web 
drive-by or phishing mail to grab root access without a password and 
then install the firmware worm payload.  The worm then spreads by 
infecting Thunderbolt or other attached peripherals, which is how in 
can infect air-gapped devices.

Do not doubt the sophistication of motivated attackers, this type of 
attack (driveby - to privilege escalation -- to pwnage) happens all the 
time to Macs and PCs and Linux boxes and lots of other stuff.  I've 
been in the computer security business for about 20 years now, nothing 
at all surprises me ... well the stuff revealed by Snowden was 
surprising, but not unexpected once I saw the stuff coming at us from 
other state actors.

Jerry

[toc] | [prev] | [next] | [standalone]

#78406

In article <55c0f339$0$42774$c3e8da3$9deca2c3@news.astraweb.com>, Jerry
Bishop <jerry.bishop@nowhere.nohow.com> wrote:

> >> I have to wonder if this concept of a firmware worm can be applied to
> >> an iPhone or iPad, too.  If, in fact, the worm can be delivered by a
> >> web-site drive-by or phishing email, that could be scary, indeed.
> > 
> > I'm pretty sure the worm being described in the article can't be
> > delivered over the network. It requires you to attach a Thunderbolt
> > device that contains the exploit code.
> 
> > More generally, firmware can only be updated by privileged code. These
> > worms take advantage of the fact that the system automatically installs
> > drivers that are on Thunderbolt and USB devices, and this installation
> > runs in privileged mode. Web browsers are not so privileged -- when you
> > download an application, you have to install it using a separate step
> > that requires you to enter a password.
> 
> According to the original Wired article that the WaPo was using as a source:

a more accurate source is this
<http://tidbits.com/article/15841?>

  Wired has reported on new research being presented at this week¹s
  Black Hat security conference on a proof-of-concept Mac worm that
  could spread through the Mac¹s firmware, rather than software. While
  Wired¹s piece makes this sound like a super worm capable of leaping
  through air gaps and infecting the world¹s Macs, the reality is more
  mundane. The research itself is excellent and fascinating work from
  Trammell Hudson and Xeno Kovah, and as always we hope Apple patches
  all the flaws quickly, but this isn¹t something most Apple users need
  to lose any sleep over.

...

  Am I vulnerable?
  Probably not. OS X 10.10.4 Yosemite breaks the proof-of-concept
  demonstration. That doesn¹t mean Macs are immune from firmware
  attacks, but it does mean the current attack demonstration won¹t work
  on Macs running the latest version of Yosemite.

...

  Is this a new vulnerability?
  Yes and no. The concept is based on earlier firmware vulnerabilities.
  According to articles, five new vulnerabilities were reported to
  Apple after the original Thunderstrike proof of concept. Of those,
  one has been patched, one has been partially patched, and three more
  are still being dealt with.

...

  Is there anything I need to do?
  No, nearly everyone can ignore Thunderstrike 2 entirely. The research
  really is excellent, compelling work that the Wired piece
  unfortunately turned into a bit a fright-fest. The Web attack vector,
  in particular, is blocked in OS X 10.10.4. The worm can¹t
  automatically jump air gaps ‹ those in sensitive environments can
  easily protect themselves by being careful where they source their
  Thunderbolt devices, and this entire family of firmware attacks is
  likely to become a lot more difficult as hardware improves, and as
  device manufacturers update their firmware code.

[toc] | [prev] | [next] | [standalone]

#78408

On 2015-08-04 17:24:44 +0000, nospam said:

> 
> a more accurate source is this
> <http://tidbits.com/article/15841?>

Good article, thanks for the link.  I agree with most of what was said, 
although I worry more about the network-based vector for delivery than 
he does.  If one vector was patched in the very latest version of OS X, 
then great.  But there are lots of vectors and lots of Macs running 
earlier versions.

Mainly, though, I was protesting the simple handwaving from Davoud, 
which replicates a lot of people in this group.  The "no big deal ... 
MY mac can't get infected"-type answers to every revealed vulnerability 
gets old, when we know from experience that is dangerous denialism.

Have a good day.

Jerry

[toc] | [prev] | [next] | [standalone]

#78501

On Tue, 4 Aug 2015 14:04:10 -0400
Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:

> Mainly, though, I was protesting the simple handwaving from Davoud, 
> which replicates a lot of people in this group.  The "no big deal ... 
> MY mac can't get infected"-type answers to every revealed
> vulnerability gets old, when we know from experience that is
> dangerous denialism.

it is dangerous but they have a horse in the race so what do you expect







 

[toc] | [prev] | [next] | [standalone]

#78409

On 2015-08-04 17:15:37 +0000, Jerry Bishop said:

> I've been in the computer security business for about 20 years now...

How's business?

[toc] | [prev] | [next] | [standalone]

#78500

On Tue, 4 Aug 2015 13:15:37 -0400
Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:

> Do not doubt the sophistication of motivated attackers, this type of 
> attack (driveby - to privilege escalation -- to pwnage) happens all
> the time to Macs and PCs and Linux boxes and lots of other stuff.
> I've been in the computer security business for about 20 years now,
> nothing at all surprises me ... well the stuff revealed by Snowden
> was surprising, but not unexpected once I saw the stuff coming at us
> from other state actors.

it is much worse than most people know
sad but true

but good that many people now understand that the state actors are
the biggest problem

but the state actors will not be thwarted easily
why do you think it has been so difficult to make truly open hardware

[toc] | [prev] | [next] | [standalone]

#78415

Jerry Bishop:
> ...devotees of Apple need to stop trying to swat 
> away hornets like they were gnats.  They are going to get stung.
> 
> I have to wonder if this concept of a firmware worm can be applied to 
> an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
> web-site drive-by or phishing email, that could be scary, indeed.

Sorry, but I've been hearing this stuff for the entire 30 years that I
have used Macs with no malware. Could it ever happen? Sure. But I'm not
going to fret about it when it hasn't happened.

-- 
I agree with almost everything that you have said and almost everything that
you will say in your entire life.

usenet *at* davidillig dawt cawm

[toc] | [prev] | [next] | [standalone]

#78499

On Tue, 4 Aug 2015 10:24:40 -0400
Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:

> I have to wonder if this concept of a firmware worm can be applied to 
> an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
> web-site drive-by or phishing email, that could be scary, indeed.

wonder no more
it has been possible
it is possible

aapple will not admit it ever

some exploits are useful to certain groups of people
bounties are paid regularly for exposing exploits
there is no shortage of exploits

sock-puppets here will always try to hand wave it all away
because that is what they are here for they have nothing useful to offer




 

[toc] | [prev] | [next] | [standalone]

#78502

In article <mq31oa$pnr$1@dont-email.me>,
 Electric Comet <electric-comet@mail.invalid> wrote:

> On Tue, 4 Aug 2015 10:24:40 -0400
> Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:
> 
> > I have to wonder if this concept of a firmware worm can be applied to 
> > an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
> > web-site drive-by or phishing email, that could be scary, indeed.
> 
> wonder no more
> it has been possible
> it is possible
> 
> aapple will not admit it ever
> 
> some exploits are useful to certain groups of people
> bounties are paid regularly for exposing exploits
> there is no shortage of exploits
> 
> sock-puppets here will always try to hand wave it all away
> because that is what they are here for they have nothing useful to offer

Show me a piece of Mac malware that's "in the wild" (Meaning that it 
actually exists outside of somebody's fevered imagination or research 
facility and I (or whoever) could actually catch it without deliberately 
installing it) and I'll acknowledge that you've got something to say 
that's worth listening to. Until you do, you're talking out your ass.

-- 
Security provided by Mssrs Smith and/or Wesson. Brought to you by the letter Q

[toc] | [prev] | [next] | [standalone]

#78504

In article <mq34qi$6js$1@dont-email.me>, Don Bruder <dakidd@sonic.net>
wrote:
> In article <mq31oa$pnr$1@dont-email.me>,
>  Electric Comet <electric-comet@mail.invalid> wrote:
> > On Tue, 4 Aug 2015 10:24:40 -0400
> > Jerry Bishop <jerry.bishop@nowhere.nohow.com> wrote:
> > > 
> > > I have to wonder if this concept of a firmware worm can be applied to 
> > > an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
> > > web-site drive-by or phishing email, that could be scary, indeed.
> > 
> > wonder no more
> > it has been possible
> > it is possible
> > 
> > aapple will not admit it ever
> > 
> > some exploits are useful to certain groups of people
> > bounties are paid regularly for exposing exploits
> > there is no shortage of exploits
> > 
> > sock-puppets here will always try to hand wave it all away
> > because that is what they are here for they have nothing useful to offer
> 
> Show me a piece of Mac malware that's "in the wild" (Meaning that it 
> actually exists outside of somebody's fevered imagination or research 
> facility and I (or whoever) could actually catch it without deliberately 
> installing it) and I'll acknowledge that you've got something to say 
> that's worth listening to. Until you do, you're talking out your ass.

Yep, just the usual load of scare tactic bollocks posted / published by
anti-Apple morons who don't know what they're talking about, dumbass
journalists simply out for a story, and anti-malware resellers trying
to con you into buying their crappy pointless software.

[toc] | [prev] | [next] | [standalone]

#78503

In article <mq31oa$pnr$1@dont-email.me>, Electric Comet
<electric-comet@mail.invalid> wrote:

> > I have to wonder if this concept of a firmware worm can be applied to 
> > an iPhone or iPad, too.  If, in fact, the worm can be delivered by a 
> > web-site drive-by or phishing email, that could be scary, indeed.
> 
> wonder no more
> it has been possible
> it is possible

True, but "possible" does not mean "probable", and certainly does not
mean that it has ever actually happened.  Furthermore, this particular
worm cannot attack any iOS device for a number of reasons:  First, it
has to be connected via a compromised Thunderbolt device, and iOS
devices don't have Thunderbolt.  Secondly, iOS devices have completely
different firmware than Intel-based computers have.

> aapple will not admit it ever

Wrong.

> sock-puppets here will always try to hand wave it all away
> because that is what they are here for they have nothing useful to offer

You mean that Applephobic trolls will wave their hands hysterically
because that is what they are here for they have nothing useful to
offer, as you have so skillfully, but unintentionally demonstrated.

[toc] | [prev] | [next] | [standalone]

#78407

On Tue, 04 Aug 2015 09:54:37 -0400
Davoud <star@sky.net> wrote:

> Another "proof of concept." No meaning in the real world.

why do so many here suffer from the disease of denial

what is that old saying 
methinks he doth protest too much or the like

so many strange sock-puppet people on comp.sys.mac.system

there's a talk i read recntly from 1978  or so
it was about exploiting hardware hardware

it is easier now than it was then

except for on macs though right





 





 

[toc] | [prev] | [next] | [standalone]

#78420

On 2015-08-04 17:55:25 +0000, Electric Comet said:

> On Tue, 04 Aug 2015 09:54:37 -0400
> Davoud <star@sky.net> wrote:
> 
>> Another "proof of concept." No meaning in the real world.
> 
> why do so many here suffer from the disease of denial

The Boy Who Cried Wolf tends to have us unnecessarily running for the 
hills. It can be tiresome.

> what is that old saying
> methinks he doth protest too much or the like

Another is "don't believe everything you read".

> so many strange sock-puppet people on comp.sys.mac.system

Reasoning isn't really "faddish".

> there's a talk i read recntly from 1978  or so
> it was about exploiting hardware hardware

I read a good buk wonst about a dog

> it is easier now than it was then

Apparently not easy enough to be done outside a lab.

> except for on macs though right

rite

[toc] | [prev] | [next] | [standalone]

#78403

On 2015-08-04, billy@MIX.COM <billy@MIX.COM> wrote:
> http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/
>
>| THE COMMON WISDOM when it comes to PCs and Apple computers is
>| that the latter are much more secure.  Particularly when it comes
>| to firmware, people have assumed that Apple systems are locked down
>| in ways that PCs aren't.
>|
>| It turns out this isn't true.  [...]

Wrong. That ain't "wisdom". On the contrary, it's quite foolish.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#78404

On 2015-08-04, billy@MIX.COM <billy@MIX.COM> wrote:
> http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/
>
>| THE COMMON WISDOM when it comes to PCs and Apple computers is
>| that the latter are much more secure.  Particularly when it comes
>| to firmware, people have assumed that Apple systems are locked down
>| in ways that PCs aren't.
>|
>| It turns out this isn't true.  [...]

Another select quote:

"They notified Apple of the vulnerabilities, and the company has already
fully patched one and partially patched another. But three of the
vulnerabilities remain unpatched."

Apple's actively working on fixes.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [standalone]

Back to top | Article view | comp.sys.mac.system

csiph-web