Security Experts:

Apple Patches Recently Disclosed Mac EFI Security Bugs

Apple Security Updates Patch Bugs in OS X, iOS, Safari, iTunes, QuickTime

Apple has released security updates for many of its products, including patches for the recently disclosed EFI vulnerabilities dubbed “Dark Jedi” and “Rowhammer.”

The EFI updates are available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10 through v10.10.3.

These updates patch an issue that can be exploited for rootkit attacks. One of the involved bugs, dubbed “Dark Jedi,” was disclosed by Rafal Wojtczuk and Corey Kallenberg last year at the Chaos Communication Congress (CCC) and it allows a local attacker to bypass firmware write protections on EFI systems from Dell, Intel, American Megatrends Incorporated (AMI), Lenovo, and Phoenix Technologies.

Researcher Trammell Hudson determined that the Dark Jedi attack works against Apple EFI as well because BIOS protection registers are unlocked after an S3 suspend/resume cycle.

While analyzing these issues, Pedro Vilaca (@osxreverser) determined that an attacker could overwrite the contents of the BIOS on Apple devices from userland and install a rootkit simply by letting the computer sleep for a few seconds. Vilaca initially believed Apple was aware of this issue, but it later turned out to be a zero-day flaw.

Apple noted in an advisory that this insufficient locking issue (CVE-2015-3692) can be exploited by a malicious application with root privileges to modify the EFI flash memory. The company has credited Hudson, Kallenberg, Vilaça and Xeno Kovah for discovering the vulnerability.

Vilaca published additional technical details on this vulnerability on Tuesday and even detailed the steps for building a temporary fix.

The second Mac EFI vulnerability patched by Apple is known as “Rowhammer.” This issue, related to dynamic random-access memory (DRAM) disturbance errors, has been known to exist since at least 2012. However, researchers demonstrated its security implications only in 2014, and in March of this year experts from Google showed that it can be exploited to gain kernel privileges on Linux and possibly other systems.

Apple says the vulnerability (CVE-2015-3693) allows a malicious application to induce memory corruption and escalate privileges. The flaw has been addressed by increasing memory refresh rates.

OS X, iOS, Safari, iTunes, QuickTime security updates

OS X Yosemite 10.10.4 patches an additional 75 vulnerabilities, including issues with afpserver, Apache, AppleGraphicsControl, AppleFSCompression, ATS, Bluetooth, CoreText, coreTLS, display drivers, graphics drivers, the kernel, kext tools, Mail, NTP, OpenSSL SpotLight, the unzip tool, and systemstatsd.

Apple has once again attempted to fix the privilege escalation vulnerability known as “rootpipe.” The company released a patch for the bug discovered by Emil Kvarnhammar from TrueSec back in April, but as several researchers pointed out at the time, the patch was ineffective.

With the release of iOS 8.4, Apple has addressed a total of 33 vulnerabilities identified by the company’s own security team and external researchers. Some of these flaws were discovered by researchers from FireEye, who demonstrated that they can demolish apps, break the app data container, and hijack VPN traffic through a method they have dubbed “Masque attacks.”

The latest version of Apple’s mobile operating systems also resolves security bugs related to Wi-Fi connectivity, the WebKit engine, telephony, SQLite’s printf implementation, Safari, Mail, the kernel, and components such as CoreGraphics, CoreText, CoreTLS, DiskImage, FontParser, and ImageIO.

With the release of Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7, Apple has addressed a total of four WebKit-related vulnerabilities. Apple also patched 39 flaws in iTunes 12.2, and nine bugs in QuickTime 7.7.7.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Singapore ICS Cyber Security Conference