It’s common wisdom: Mac security is inherently superior to that of Windows and other PC operating systems. Many users credited Apple’s tightly controlled application and development environment for this improved protection, but in recent years security researchers have suggested a storm of malicious attacks may be on the horizon. Now, a pair of Mac security threats — Thunderstrike 2 and a new zero-day privilege exploit — have darkened user skies. Is this the end of Apple’s vaunted security superiority?

The Sound and the Fury

According to Threatpost, researchers have developed a remote-infection variant of firmware exploit bootkit Thunderstrike. Called Thunderstrike 2, the new vulnerability leverages much of the original kit to deliver malware capable of infecting both host machines and any connected accessories.

As noted by The Hacker News, Thunderstrike was first developed by security engineer Trammell Hudson, who discovered a flaw in Thunderbolt Option ROM that allowed the infection of any Apple Extensible Firmware Interface (EFI) by placing malicious code into boot ROM, making it almost impossible to remove. Thunderstrike had one limitation, however: Attackers needed physical access to victim machines.

Thunderstrike 2, meanwhile, has no such restrictions. The brainchild of Hudson and another security engineer, Xeno Kovah, it’s possible to spread Thunderbolt 2 via email, malicious websites or peripheral devices. Using a local root privilege exploit, the malware loads a kernel module to gain raw memory access and then either unlocks and rewrites the firmware or waits for the Mac to sleep and wake up again to alter its firmware. In both cases, removing the infection is almost impossible.

Thunderstrike and its progeny speak to one critical fallacy of Mac security: singularity. With other companies all leveraging virtually identical firmware, the software advantage granted by Mac OS X is rendered meaningless.

Zero-Day Strikes on Mac Security

Speaking of OS X, researchers have also discovered a flaw in the latest version of Yosemite that could allow malicious actors to gain root-level permissions without the need for administrator passwords. As noted by SecurityWeek, the issue lies with a hidden UNIX file named “sudoers,” which contains a list of software programs granted root access. When used alongside the DYLD_PRINT_TO_FILE vulnerability, which allows error logging to arbitrary files, it’s possible for cybercriminals to “open or create arbitrary files owned by the root user anywhere in the file system,” according to German security researcher Stefan Esser, who published the zero-day exploit details in July.

Attacks observed in the wild saw malicious actors running an installer that infected systems with VSearch adware, Genieo adware and in some cases the MacKeeper software. Both OS X 10.10.4 and beta 10.10.5 are vulnerable, while the new OS X 10.11 “El Capitan” beta appears to be immune.

After years of clear skies and starry nights, a storm is rolling in for Mac users. Serious firmware and software flaws have been discovered — and both are hard to detect and even harder to remove. For Mac users, there’s a simple lesson in the thunder and lightning: Standing under the Apple tree isn’t safe. Instead, it’s time to hunker down and start taking Mac security seriously.

More from

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…