"Thunderstrike" is the name for an attack that can target Mac hardware via the Thunderbolt port. Apple had previously updated the Retina 5K iMac and 2014 Mac mini to partially secure them against Thunderstrike. Now, the upcoming OS X Yosemite 10.10.2 will fix the problem for all recent Macs running Yosemite.
Rick Mogull previously explained how Thunderstrike works on TidBITS:
Macs, like all computers, have firmware that swings into action when you push the power button, booting up the computer, loading the operating system, initializing hardware, and performing other functions. Some technologies, such as FireWire and Thunderbolt, interact with this firmware at an extremely low level, below Mac OS X itself, for feature and performance reasons.
The Thunderstrike proof-of-concept takes advantage of this trust to replace the contents of the Mac's boot ROM with the attacker's own code, effectively embedding it into the Mac's hardware and making it impossible to remove using standard techniques. The attack works because Apple relies on software checks to confirm the firmware is valid, and Hudson developed techniques to circumvent those checks (and even replace the encryption key).
To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again. According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that's exactly the deep, layered process that's been completed.
OS X 10.10.2, which was last seeded to developers earlier this week and will be made available to everyone as soon as it goes into wide release. OS X 10.10.2 also fixes three recently disclosed Project Zero vulnerabilities.
In the meantime, no instances of Thunderstrike have been found in wild, and the attack requires either physical access to the targeted computer, or social engineering sufficient to trick the owner into "attacking" themselves.
So, as with other recent Apple-related security stories, be informed but don't be alarmed. It's known, it's not likely to affect anyone reading this, and the fix is on its way.
Did the Writers Guild of America just confirm 'For All Mankind' season 4?
Apple TV+ hit For All Mankind hasn't started airing its third season yet, but it looks like we might already have a fourth season to look forward to.
The new Nothing Ear (1) earbuds are funky — and as cool — as hell
Nothing, the company from former OnePlus founder Carl Pei, has its first product. The Nothing Ear (1) have been confirmed today and they're unlike anything you've seen before.
$400,000 in undeclared Apple Watches & AirPods Pro seized by Indian customs
Customs agents at the international airport in Mumbai seized more than $400,000-worth of Apple gear as it made its way into the country. None of the 160 Apple Watches and 600 pairs of AirPods Pro had been declared and are now all sat in a warehouse.
Click, clack, and thock away with the best mechanical keyboards for Mac!
While there are many who enjoy how the Apple Magic Keyboard feels, others prefer something more tactile and even louder. Thankfully mechanical keyboards are still around. Here are some of our favorites.