Skip to main content

Next Apple OS X Update to Patch Thunderstrike Flaw

Both ends of an Apple Thunderbolt cable. Credit: Apple.

(Image credit: Both ends of an Apple Thunderbolt cable. Credit: Apple.)

It looks like the next incremental update to Apple's OS X operating system will add a fix to block attacks using the well-publicized proof-of-concept Thunderstrike malware. Named after Apple's Thunderbolt ports, Thunderstrike could spread to and from Thunderbolt-connected devices, and once a Mac were to be infected, it would be nearly impossible to disinfect it once again.

Apple news blog iMore said Friday (Jan. 23) that a beta version of the forthcoming Yosemite 10.10.2 update, released to developers earlier last week, includes patches to OS X's extensible firmware interface (EFI), which Thunderstrike exploits. The beta also apparently patches three OS X flaws that Google's Project Zero disclosed last week.

MORE: Best Mac Antivirus Software

Thunderstrike is a bootkit, a piece of malware that infects the software or firmware of a computer involved in the startup (or "boot") process that happens before the launch of the main operating system, e.g Windows or OS X. From this privileged position, the bootkit, and by extension the people operating it, can control just about every function on the infected computer.

This particular bootkit is even more dangerous than most: it starts on a malicious Thunderbolt device, and spreads to Macs when those devices are plugged into a Mac computer during its startup. Once a Mac is infected, it can spread Thunderstrike to the other Thunderbolt devices attached to it, which can go on to infect more Macs.

Once on a Mac, Thunderstrike is very difficult to remove; the bootkit blocks the Mac from receiving further Apple EFI updates, and it can withstand reinstalling the operating system and replacing the hard drive. 

The good news is that Thunderstrike was developed as a proof of concept, not as an actual attack. Its creator is New York-based security researcher Trammell Hudson, and no instances of Thunderstrike attacks have been reported in the wild.

"To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again," iMore reports.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.