Apple “will patch a serious ‘privilege escalation’ bug in the next security update to its desktop operating system, Mac OS X 10.10.5, the Guardian has learned,” Alex Hern reports for The Guardian. “A second serious bug, Thunderstrike 2, which can allow attackers to overwrite a computer’s firmware using a malicious webpage, has already been partially patched in Mac OS X 10.10.4.”
“The most notable part of the Thunderstrike 2 vulnerability – which lets attackers create a ‘worm’ which can spread from computer to computer without human intervention – remains unfixed, though some experts have questioned its seriousness. Rich Mogull, a Mac security expert who covers the platform on the TidBITS news site, wrote that Thunderstrike 2 is less severe than it was made out to be,” Hern reports. “Mogull concluded that ‘nearly everyone can ignore Thunderstrike 2 entirely.’ For typical users, the worm is a mostly hypothetical threat compared to the already-patched web infection vector.”
“The Guardian understands that Apple has taken interim measures to prevent further exploitation of the vulnerability, including revoking the credentials of developers who use it, and including any app which does so on the company’s regularly updated list of malware,” Hern reports. “As such, unsuspecting users should be protected against specific attacks until a broader patch is released.”
Read more in the full article here.
MacDailyNews Take: Tempest in a teapot.
Bottom line: The Mac continues to get even more secure.
Thunderstrike 2 worm can infect your Mac without detection, but requires root access – August 3, 2015
Apple secures Macs against ‘Thunderstrike’ attacks in OS X 10.10.2 – January 24, 2015
Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required – January 12, 2015
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015