Many Mac users like to think that Apple’s computers are all but safe from any sort of software virus, and while that’s not strictly true, it is a fact that Macs don’t suffer from the same security, or at least virus issues that have plagued the Windows PC for many a year. Security through obscurity has kept the Mac largely at the bottom of the virus food chain, but that doesn’t mean it’s invulnerable.
As if to drive that point home, researchers Xeno Kovah and Trammell Hudson have taken some common PC-based firmware vulnerabilities and tested them out on Macs. As it turns out, all but one of the six vulnerabilities tested were also capable of affecting the Mac, which may come as a surprise.
For the uninitiated, a firmware vulnerability is one that could allow infection of the set of instructions that govern a computer’s hardware components. Not only is a firmware worm hard to detect, it cannot be removed by simply wiping the system or reinstalling the operating system as it does not reside on the hard disk. PCs and Macs aren’t particularly well equipped to prevent such an infection from happening, and the ease with which they can be infected is concerning. If an infection does occur, though, the firmware’s ability to tell the machine what to do when it’s in the process of booting or has no operating system running can be compromised, with the consequences being dire indeed.
According to Wired, infecting a machine could be as easy as getting someone to plug an infected Ethernet adapter into a target Mac, thanks to that adapter’s use of Option ROM. The worm would then spread to the target machine and any peripherals attached to it that also have Option ROM. The cycle would then continue as the infected accessory is moved from machine to machine.
Since the security flaws were outlined to Apple, one has been fixed and another is in the process of being fixed, which should give us some hope that Apple is at least working to plug whatever security holes are still available to those keen to hack their way into a Mac.
Thankfully, the number wanting to do that is rather low when compared to those targeting the PC.