nicro

Q: thunderstrike-2 once infected always infected?

I understand that the chances of getting thunderstrike2 is slim, and that if you have El Capitan you're immune from catching it.
My question is... If you got thunder strike 2 before upgrading to El Captian, i.e. from running Mavericks, will you still carry the bug in your SPI after the upgrade, if not, how does this work?

MacBook Pro (17-inch Late 2011), OS X El Capitan (10.11.2), Security

Posted on Jan 12, 2016 10:36 AM

Close

Q: thunderstrike-2 once infected always infected?

  • All replies
  • Helpful answers

Previous Page 2
  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Jan 12, 2016 12:03 PM in response to Kurt Lang
    Level 6 (8,035 points)
    Mac OS X
    Jan 12, 2016 12:03 PM in response to Kurt Lang

    I know, this is why I get my info from "the safe mac" and that's about as far as I go because I spend the rest of the day trying to clear up the nonsense with some exec at work who watched CNN or FOX and thinks their iPhone or fit-bit has been hacked to become an IED.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jan 12, 2016 12:10 PM in response to JimmyCMPIT
    Level 8 (37,939 points)
    Mac OS X
    Jan 12, 2016 12:10 PM in response to JimmyCMPIT
    and thinks their iPhone or fit-bit has been hacked to become an IED

    That would be the loudest appointment reminder ever! Sure would get the user's attention, though.

  • by nicro,

    nicro nicro Jan 12, 2016 12:16 PM in response to Kurt Lang
    Level 1 (5 points)
    Mac OS X
    Jan 12, 2016 12:16 PM in response to Kurt Lang

    I've checked the two links from Kurt, I'm guessing the references to


    EFI

    Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

    Impact: A malicious application with root privileges may be able to modify EFI flash memory

    Description: An insufficient locking issue existed with EFI flash when resuming from sleep states. This issue was addressed through improved locking.


    I'm guessing this is the thunder strike 2 fix. I've updated my machine to El capitan so I'm guessing both fixes are now place, is that so?

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jan 12, 2016 1:03 PM in response to nicro
    Level 8 (37,939 points)
    Mac OS X
    Jan 12, 2016 1:03 PM in response to nicro

    Yes, that is the fix. It's how Thunderstrike got into the firmware - during a wake from sleep procedure it would copy from the drive to the firmware. That avenue is now blocked.

  • by nicro,

    nicro nicro Jan 12, 2016 1:32 PM in response to Kurt Lang
    Level 1 (5 points)
    Mac OS X
    Jan 12, 2016 1:32 PM in response to Kurt Lang

    Thanks Kurt,

     

    And like you say, just upgrading to El Captan re-writes the EFI to patch it completely.

Previous Page 2