For years, Mac users have been safe in the knowledge that their platform was relatively protected against malware. A combination of the lower number of users on the platform, less attention from security researchers and fewer exploited security holes in the operating system than Windows, has led to a generally virus and malware free experience. Windows also represents a far larger target than Mac for profit-seeking virus and malware authors, due to their greater market share.
But in quick succession, two new serious vulnerabilities have been discovered in Mac OS X.
Earlier this year, security engineer Trammell Hudson developed and showed off a proof-of-concept firmware called Thunderstrike. The malware could attach itself to Thunderbolt-connected accessories that used Option ROMs and infect any Mac it was connected to at boot. The infected Mac could then pass the malware to other accessories, which could infect other computers. Apple (mostly) patched this exploit in OS X version 10.10.2 back in January 2015, but reports show that a sequel has been developed.
Dubbed “Thunderstrike 2,” the malware still spreads primarily through infected Thunderbolt accessories. But where the original Thunderstrike required a malicious user to have physical access to a computer to work – the new one can be spread remotely. The malware can be delivered via a phishing e-mail or malicious website and once downloaded it can infect connected accessories that use Option ROM (Apple’s Thunderbolt-to-gigabit-Ethernet accessory is a commonly cited example). Once the accessory is infected, the malware can spread to any Mac that you plug the accessory into.
The danger of firmware-level malware is that most virus scanners and other anti-malware products focus on RAM and files stored on the hard drive. It’s difficult to detect and to trace back to it’s source and also tough to remove.
Apple informed users that this bug has been partially patched in OS X 10.10.4 rlease, so this particular version of Thunderstrike shouldn’t be of immediate concern to users of fully updated Macs.
Web Browser Pop-ups
The second vulnerability, is less malware and more adware. It targets users’ internet browsers; Safari, Chrome and Firefox. Hackers are exploiting this vulnerability in the latest version of Apple’s OS X so they can install adware applications without requiring victims to enter system passwords.
Researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file.
Unfortunately, some free downloads do not adequately disclose that other software will also be installed and you may find that you have installed adware on your Mac OS X without your knowledge. The type of potentially unwanted programs are typically added when you install another free software that had bundled into their installation this adware program. Most commonly this infections are bundled within the installers from CNET, Softonic or other similar custom third-party installers.
When your Mac OS X is infected with this adware, you will experience the following symptoms:
- Advertising banners are injected with the web pages that you are visiting.
- Random web page text is turned into hyperlinks.
- Browser popups appear which recommend fake updates or other software.
- Other unwanted adware programs might get installed without the user’s knowledge.
Always opt for the custom installation and deselect anything that is not familiar, especially optional software that you never wanted to download and install in the first place. It goes without saying that you should not install software that you don’t trust.