Mac OS X ‘Thunderstrike’ Bug Patched
It was Google that spotted several Mac OS X flaws as part of their ongoing crusade against looming security holes known as Project Zero. The initiative scours the internet for zero day exploits, security holes which are present in a system from the moment it is released that the manufacturer is unaware of.
Google’s pet projects are numerous and interesting, from wi-fi balloons to flashy glasses. Project Zero however is a pledge by the company to remain on the lookout, across the internet, from ongoing threats to users online and on devices, including ones not previously seen or even known about.
The Heartbleed website security bug of last year was somewhat of a wake up call for Google – they don’t want something similar to happen again. “We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people,” said Google Chrome’s head of security Chris Evans.
The vulnerability revelation has come during an ongoing unsettled period for Mac users, as flashily named exploits for the new operating system seem to be appearing with increased regularity.
After taking a quick peek at OS X Yosemite via the internet, Google notified Apple of afew problems earlier this month on on the 23rd, and now the company has released a new patch designed to track down and deal wit both the problems highlighted by Project Zero, as well as Thundrstrike, a Lightning port exploit which is used to deliver malware.
Thunderstrike was exposed by reverse engineer Trammell Hudson at the beginning of the year, his finding of the backdoor prompting the usual panic among Apple fans. The malware uses 35 year old Apple software to trick the host into letting it install malicious programs through the Lightning port, but most interestingly makes sure those programs cannot be erased. This is what most of the fuss has been about.
Thankfully Thunderstrike has only been demonstrated (as far as we know) in the safety of a computer lab – nobody as of yet has reported widespread infection, and fortunately nobody will need to worry about it any more following Apple’s latest patch. The exploit itself does require a device to be plugged into the host PC, which does mean that attacks, if any, would be quite localized.
The patch from Apple to fix Thunderstrike, and the vulnerabilities highlighted by Google, is available now, for free as always, from Apple. Mac OS X users will also be glad to know that the patch finally allows you to browse iCloud whilst using the Time Machine feature, so good news on all fronts there for security conscious Mac users.
Via: The Register