UEFI attack could affect 2014 and earlier Macs: What you need to know

For owners of mid-2014 or earlier Macs, a new attack against a vulnerability in the UEFI boot script table is worth knowing about but won't affect most customers.

UEFI - Unified Extensible Firmware Interface — is what the Mac uses to boot from firmware and into the OS X operating system. If you're familiar with BIOS, then this replaced that. At the Chaos Communication Congress (CCC) in 2014, a presentation showed how a vulnerability in the boot script table could be used to rewrite the firmware when a Mac wakes after being in sleep mode. As usual, it's something to be informed about, but for the vast majority of people, nothing to panic about. According to Reverse Engineering Mac OS:

As a general user you shouldn't, in theory, be much worried with this bug more than you were with Thunderstrike. This is a bug more interesting to attack targeted users than mass exploitation, although a drive-by exploit is definitely feasible.

For anyone to exploit the vulnerability, they need already to have root access to your Mac, and the ability to issue commands as root. And if that's the case, the remote access itself would be your most pressing concern. In other words, it needs the back window to be unlocked before it can get in and chain itself to the furnace.

Macs manufactured after mid-2014 appear not to be affected. Given the nature of the exploit and the attention it's getting, I expect Apple will be issuing a patch for affected systems as soon as possible.

If you think you may be targeted, you can mitigate the risk by running as a standard user rather than as an admin. If you have to run as admin, disable sleep and shut down your Mac when you're done with it instead. You can do that in System Preferences > Energy Savings.

Also, remember to practice safe surfing. Most attacks begin with phishing — bogus messages that try to con you into clicking on malware links — or social engineering — attempts to trick you into handing over your password.

For expert users, the following test procedure is also detailed:

Downloading DarwinDumper and load the DirectHW.kext kernel extension. Then you can use flashrom with "flashrom -r biosdump -V -p internal" to dump the bios and show the register contents. Else you can compile yourself DirectHW.kext and also flashrom. DarwinDumper just works out of the box and its kext appears to be legit (it's on Apple exclusion list so at least Apple trusts it ;-)).

Apple continues to work on new ways to improve security. Recent examples include the Mac App Store, Gatekeeper, and Sandboxing. Hopefully, we'll see and hear even more about the company's plans for OS X security at WWDC 2015, which kicks off June 8.

Nick Arnott contributed to this article.