Respected Apple hacker Pedro Vilaça has uncovered a low-level zero day vulnerability in Mac computers that allows privileged users to more easily install EFI rootkits.
Vilaça says the attack, first thought to be an extension of previous research rather than separate zero day, took advantage of unlocked flash protections when machines go into sleep mode.
“Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle,” Vilaça says in a post.
“It means that you can overwrite the contents of your BIOS from userland a rootkit EFI without any other tricks other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
Comments