Apple fixes Thunderstrike and 3 Project Zero bugs in OS X 10.10.2 Yosemite

library
crime | hacking | security

Apple is readying a series of fixes to defend Yosemite, its flagship operating system, from so-called ‘evil maid’ attacks.

‘Evil maid’ attacks are those that require physical access to a device – just as ‘maids’ could access your computer if you left it in a hotel room, so could someone else if you left your computer unattended in your office, in a computer repair shop, and so on.

One such attack is Trammell Hudson’s devilish Thunderstrike vulnerability.

Reporters at iMore spotted a fix for Thunderstrike in the latest beta version of OS X 10.10.2, along with fixes for some other recently disclosed (but less well monikered) vulnerabilities.

Prior to making a release to the general public, Apple hands out beta versions of its operating system to developers. A fix in the beta is a good sign, although not a guarantee, that the fix will be in the hands of users in the next release of OS X.

Thunderstrike uses a Mac’s Thunderbolt port to load a rootkit into the computer’s Boot ROM (the very first bit of software the computer runs after being turned on).

Boot ROM malware is extremely difficult to detect and disinfect, and Hudson’s technique adds to the pain by locking the cuckolding malware in, under the cryptographic protection of the attacker’s public key.

The next version of Apple’s desktop operating system, an incremental, point release of Yosemite, is also likely to feature fixes for three serious ‘Project Zero‘ vulnerabilities – issues 130, 135 and 136.

(Project Zero has eschewed the current vogue for giving bugs names that make them sound like characters from the Transformers films).

Google’s issue tracker actually hints that the current version of Yosemite already features mitigations to deal with the first bug, issue 130, but there doesn’t appear to be a definitive statement on that from either Google or Apple.

All 3 vulnerabilities came to light last week, automatically.

Google provides 90 days notice to companies affected by vulnerabilities discovered by its Project Zero team before disclosing the details, and providing exploit code, to the world.

That arbitrary deadline has now expired and Apple’s users have been left exposed, despite the fact that the flaws appear to have been addressed and an update is imminent.

I suspect that in the long run Google has the muscle to make its 90 day countdown a de-facto disclosure standard, and that’s probably a good end result, but I’m not enjoying Google’s coercive, internet cop act.

For more on the pros and cons of Google’s brave new world, check our recent Chet Chat podcast [Segment starts at 0’46”.]