It’s common wisdom: Mac security is inherently superior to that of Windows and other PC operating systems. Many users credited Apple’s tightly controlled application and development environment for this improved protection, but in recent years security researchers have suggested a storm of malicious attacks may be on the horizon. Now, a pair of Mac security threats — Thunderstrike 2 and a new zero-day privilege exploit — have darkened user skies. Is this the end of Apple’s vaunted security superiority?

The Sound and the Fury

According to Threatpost, researchers have developed a remote-infection variant of firmware exploit bootkit Thunderstrike. Called Thunderstrike 2, the new vulnerability leverages much of the original kit to deliver malware capable of infecting both host machines and any connected accessories.

As noted by The Hacker News, Thunderstrike was first developed by security engineer Trammell Hudson, who discovered a flaw in Thunderbolt Option ROM that allowed the infection of any Apple Extensible Firmware Interface (EFI) by placing malicious code into boot ROM, making it almost impossible to remove. Thunderstrike had one limitation, however: Attackers needed physical access to victim machines.

Thunderstrike 2, meanwhile, has no such restrictions. The brainchild of Hudson and another security engineer, Xeno Kovah, it’s possible to spread Thunderbolt 2 via email, malicious websites or peripheral devices. Using a local root privilege exploit, the malware loads a kernel module to gain raw memory access and then either unlocks and rewrites the firmware or waits for the Mac to sleep and wake up again to alter its firmware. In both cases, removing the infection is almost impossible.

Thunderstrike and its progeny speak to one critical fallacy of Mac security: singularity. With other companies all leveraging virtually identical firmware, the software advantage granted by Mac OS X is rendered meaningless.

Zero-Day Strikes on Mac Security

Speaking of OS X, researchers have also discovered a flaw in the latest version of Yosemite that could allow malicious actors to gain root-level permissions without the need for administrator passwords. As noted by SecurityWeek, the issue lies with a hidden UNIX file named “sudoers,” which contains a list of software programs granted root access. When used alongside the DYLD_PRINT_TO_FILE vulnerability, which allows error logging to arbitrary files, it’s possible for cybercriminals to “open or create arbitrary files owned by the root user anywhere in the file system,” according to German security researcher Stefan Esser, who published the zero-day exploit details in July.

Attacks observed in the wild saw malicious actors running an installer that infected systems with VSearch adware, Genieo adware and in some cases the MacKeeper software. Both OS X 10.10.4 and beta 10.10.5 are vulnerable, while the new OS X 10.11 “El Capitan” beta appears to be immune.

After years of clear skies and starry nights, a storm is rolling in for Mac users. Serious firmware and software flaws have been discovered — and both are hard to detect and even harder to remove. For Mac users, there’s a simple lesson in the thunder and lightning: Standing under the Apple tree isn’t safe. Instead, it’s time to hunker down and start taking Mac security seriously.

More from

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…