Apple's year-end is about security
When it comes to security, Apple can and should do better. It is one of the biggest offenders, after all, making quite a few serious mistakes in this area. One of its most-important services, namely iCloud, has been instrumental in this year's celebrity photo leaks scandal, better known as The Fappening. And, more recently, a weakness in its OS X deployment software for iOS apps has exposed hundreds of thousands of iPads and iPhones to the WireLurker malware. And these are just two examples. Unsurprisingly, as the year draws to an end, security remains a talking point in Apple's case.
Let's start with the good news, first. Apple has pushed an update for OS X 10.10 Yosemite, 10.9.5 Mavericks, and 10.8.5 Mountain Lion, seemingly for the first time, to quickly fix a critical vulnerability discovered in NTP (Network Time Protocol), a protocol which is widely used to synchronize device clocks with dedicated servers. Normally, OS X updates are not applied automatically, but this one is apparently so critical that it is.
This is a vulnerability for which publicly-available exploits exist. And it can be exploited remotely, which makes patching it an even more pressing matter. It can lead to malicious code being executed with NTP-level privileges, in case you are wondering.
The vulnerability, discovered by Google and detailed by the US government on December 19, is not Apple's own doing, but it affects millions of Macs, judging by the operating systems which Apple wants patched. The short amount of time it has taken Apple to come up with a fix is, quite frankly, a good sign, hopefully for things to come as well.
It is also a good sign that Apple is looking to get ahead of the problem, before it becomes one -- there are no known exploits at this stage, according to Apple spokesperson Bill Evans. What's more, the patch is applied without having to restart, which makes it extremely effective and convenient to apply.
Now, let's move on to the bad news. Apple devices equipped with Thunderbolt ports are susceptible to a bootkit infection, that can be performed by a so-called "evil-maid" using an available Thunderbolt port. It modifies the EFI firmware, is said to be resistant to removal, and can spread by infecting other Thunderbolt devices.
Because the EFI firmware is not overwritten when the operating system is reinstalled, nor is it user-accessible, any modifications that the bootkit makes will be preserved. The bootkit is able to achieve such results by circumventing cryptographic signature checks, using a Thunderbolt Option ROM, in Apple's EFI firmware update routines.
Trammell Hudson, the person who uncovered this problem with Apple's EFI, alleges that the only way to restore the stock firmware is by using a hardware in-system-programming device. What's more, the bootkit can be designed so it can only be replaced with a private key, enforced by a possible attacker; Apple's public RSA key that the firmware uses can be replaced. You can read more about how it works by hitting the link in the paragraph above.
Of course, installing such a bootkit hinges on having physical access to a Mac and reusing infected Thunderbolt devices. That's not much of a stretch if we consider work environments, or shared Macs. However, the leveraged Thunderbolt Option ROM vulnerability, which is instrumental to the bootkit's success, can be fixed, according to Hudson. That said, it has remained unpatched for two years, but "the larger issue of Apple's EFI firmware security and secure booting with no trusted hardware is more difficult to fix", adds Hudson.
Is Apple ending 2014 on a high note or not? It's a glass half-full/half-empty type of situation, after all. Personally, I see patching the NTP vulnerability as being more important, at least until 2015 comes along, than a bootkit infection with a "maybe" label next to it.