Apple + Malware

Prince Harming and Dark Jedi Sent Packing by Apple’s Latest OS X Update

Posted on July 2nd, 2015 by

Prince Harming and Dark Jedi

Earlier this week, Apple released updates for OS X and iOS, incorporating a raft of security patches. (What is the correct collective noun for patches anyway? A quilt?)

Amongst the fixes were a patch for the boobytrapped message that mischief-makers could send to your iPhone to cause it to crash. So, if you didn't find the idea of your friends and enemies remotely restarting your phone funny, you had best update to iOS 8.4.

But it wasn't just mobile users who were benefiting from improvements by Apple's security team.

Desktop and laptop users of OS X are advised to either update to OS X Yosemite v10.10.4, or apply Security Update 2015-005, which incorporate numerous security fixes, including patches for remote code execution flaws, elevation of privilege vulnerabilities, browser data leakages and security bypasses.

But alongside the fixes is another security update — for your Mac or MacBook's firmware — that provides important protection against a serious vulnerability that could allow an attacker to meddle with the system BIOS, installing a rootkit which would lead to your computer being permanently backdoored.

The so-called "Prince Harming" attack was similar to the Thunderstrike vulnerability patched earlier this year in OS X 10.10.2, but was considered more serious because, unlike Thunderstrike, it did not depend upon a hacker having physical access to the intended victim's computer.

OS X security researcher Pedro Vilaça detailed how the "Prince Harming" attack was able to exploit Mac computers made before mid-2014, exploiting the fact that their low-level firmware was left vulnerable to attack when woken from sleep mode.

According to Vilaça, sophisticated attackers had a window of opportunity to inject malicious rootkit code into the ROM EFI boot chip. The attack could even be delivered remotely by exploiting browser vulnerabilities and tricking intended victims into visiting a boobytrapped webpages. Provided the victim's computer had entered sleep mode during the current cycle, it could be exploited.

Apple tree rootsThat's bad enough, but now consider just what a rootkit can do.

A rootkit can control your entire computer from the first second that it's turned on, running at such a low level that it can completely backdoor your system — logging every keypress, spying on your every activity, stealing and bypassing firmware passwords.

And, once in place, a malicious rootkit could easily go undetected for a long long time.

Frankly, the attack was likely to be beyond the capabilities of the typical attacker because of its sophistication (a financially-motivated hacker, for instance, would probably be happy to steal cash or identities in a more conventional and easy fashion), but there is no doubt that it is a technique that would be of interest to determined hackers — such as those working for intelligence agencies and foreign governments.

Regardless of your chances of being hit, it's still good that Apple has now patched this security vulnerability — and a similar one known as "Dark Jedi."

Vilaça, who went public with details of the Prince Harming vulnerability affecting ROM EFI boot chips earlier this year in the belief that Apple already knew about the problem, praised a fix being finally issued for older computers:

"I am very happy to see that Apple moved fast enough to fix both bugs and must congratulate them. It was a bit unexpected! Maybe full disclosure and bad publicity work after all ;-)."

If you haven't already done so, apply Mac EFI Security Update 2015-001, and update to OS X Yosemite v10.10.4.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Vito Tuxedo

    “What is the correct collective noun for patches anyway”

    Bevy, methinks.

    BTW, the EFI update doesn’t apply to a MacPro 2.8GHz Quad-Core. When I tried to run the installer, the app displayed a prompt stating “This machine doesn’t need this update.” So, it’s not universally true that the EFI update applies to Mac computers made before mid-2014.

  • Gen. Chang

    Multiple patches = Quilt, LOL, Love it ! Headline…”Today Apple published a QUILT, so be sure to update” as those at the Register like to say,”the fruity folk” are at it again. But seriously, the researcher is right, you have to be public and embarrass Apple to get the fixes pushed out,as they have demonstrated numerous times,they drag their feet. Sometimes taking up to a year to do so.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}