Symantec says a critical vulnerability within some Apple Mac models could allow hackers to inject systems with persistent rootkit malware.
The security firm confirmed the existence of the security flaw late on Thursday. The flaw, called the Apple Mac OS X EFI Firmware Security Vulnerability, was originally disclosed May 29 by Apple's security researcher Pedro Vilaca.
The problem lies within Mac sleep mode. After Macs awake from this low-power hibernation, a flawed suspend-resume implementation means that some Mac models' flash protections are left unlocked.
Virulent malware, such as the EFI rootkit, can be used to remotely control a system and potentially steal user data -- and may not be eradicated even if a system wipe is set in motion. But while this attack is unlikely to impact on users en masse, it could be exploited in order to spy upon specific, targeted users with valuable data or accounts to share.
This is not the only Apple-related security flaw to hit the headlines this year. In March, Apple released a patch to protect iOS users from FREAK, a decade-old bug which left users of Apple's Safari and Google Android browsers vulnerable to hacking through a forced downgrade of encryption protocols.
Symantec has confirmed the existence of the vulnerability and has rated the flaw as "critical" as it can provide "an attacker with persistent root access to a computer that may survive any disk wipe or operating system reinstallation," according to the firm.
"The vulnerability could be remotely exploited by an attacker if used in conjunction with another exploit that provided root access," Symantec said. "While such vulnerabilities are not widespread, they do emerge from time to time. Once an attacker has root access, the only condition required for successful exploit is that the computer enter sleep mode."
Vilaca claims the bug can be used with Safari or another remote vector to install an Extensible Firmware Interface (EFI) rootkit without physical access, and the only requirement is that the computer is suspended within the session.
To date, Symantec has tested four different Mac computer models. The security firm found that the Mac Mini 5.1 and MacBook Pro 9.2 are vulnerable, whereas the MacBook Pro 11.3 and MacBook Air 6.2 are not affected. Vilaca's tests verified the MacBook Pro Retina 10.1, MacBook Pro 8.2, MacBook Air 5.1 and Mac Pro 9.1 are vulnerable. All computers tested ran on Apple's latest firmware versions. Vilaca commented:
"I'm pretty sure Apple is aware of the bug or at least it would be quite irresponsible for them to not test if their BIOS implementation was vulnerable to the Dark Jedi attack. I had no issues doing PoC tests with it but definitely needs other people to test it out (at least to find which other Macs are vulnerable)."
Until Apple issues a firmware patch to fix the security flaw, concerned users are advised to shut down their computers rather than put them in sleep mode.
This story originally posted as "Symantec confirms existence of unpatched rootkit Mac security flaw" on ZDNet.