I understand that the chances of getting thunderstrike2 is slim, and that if you have El Capitan you're immune from catching it.
My question is... If you got thunder strike 2 before upgrading to El Captian, i.e. from running Mavericks, will you still carry the bug in your SPI after the upgrade, if not, how does this work?
MacBook Pro (17-inch Late 2011), OS X El Capitan (10.11.2), Security
my understanding is thunderstrike2 would go from being a theoretical proof of concept threat that it currently is and become a legitimate code in the wild. Right now it's Pinocchio (exists but not as a "real boy/virus") if I'm reading this correctly so the chance of you having it means it was distributed to you by the lab that provided the concept idea to Apple to you in the form of code.
Basically, according to this article: Once a Mac computer has been infected with Thunderstrike 2, the only way to remove the malware is to re-flash its firmware chips. (http://www.techtimes.com/articles/74024/20150804/thunderstrike-2-is-the-latest-n ightmare-of-mac-owners-what-you-should-k…)
I have not heard of any true "in-the-wild" infections occurring, but if you are not sure about your system, for whatever reason, make an appointment with a Genius Bar and have them check your system.
Thanks Cmoore, yep, I thought so too, but some people are saying that this advice might now be out of date as El Capitan sandboxes the issue.
Can the genius bar do an inspection then? I thought there was no way to tell if you had it?
there is no inspection. this concept never made it out a lab. It's not a downloadable thing, it not a contracted thing, it's a concept.
the only thing Apple can do is what they have already done, update the toolset they provided for you in an update. So if you don't update they can't fix it, they already provide you with a fix in the form of an update so that how they would "fix" this conceptual attack.
Best advice I could give you, would be to call and see. I would think they could do a check of the PROM version or s checksum check, to verify. Could be wrong, but if anyone should be able to do so, I would think it would be Apple. Once again, I have not found any reports of an actual reported case in the wild. Why would you suspect you are infected? Also, make sure you have installed the EFI update that Apple released. First clue, if you can't update, then a good chance you have made history.
EDIT: Basically what Jimmy said above.
Thanks Both, I had some nasties on computer a while back, downloaded some silly software. I've done many re-instals since so in general I'm happy. I'm super security conscious so the only issue I can have kept from what I can tell is Thunderstrike2 hence the aim to know for sure and eliminate if so. Re, none in the wild, I'm sure I saw an article about it being used already to download junk ware such as mackeeper
In my read of that article, they are talking about a second exploit for root privileges called DYLD, which has since been patched. This is unrelated to the first exploit the article was talking about, Thunderstrike 2. Two different situations in one article. at least this is my read.
Apologies, your correct, it was for a different bug! Just out of interest, if El Capitan has fixed the thunderstrike 2 flaw, is it just now immune from catching the bug or does it actually remove the bug as well if found in the EFI?
the article skips the part where the Trammell Hudson who discovered it also created the concept. The article is trying to elude to the fact it's a real "out in the wild" threat when it never was found or released in the wild. It is a concept, and the writer of that page is leaving out a lot of pertinent information for the sake of sensationalizing a threat that was never made real, he also fails to explain the patch to prevent this concept was indeed addressed in Yosemite by Apple in the event it did really happen.
Even on your 2011 MacBook Pro, now essentially impossible. Especially if you have the latest firmware update applied. The EFI update MBP81.0047.B2A (2015-001) was rolled out for all 2011 models. It's main fix is to protect the EFI against Thunderstrike. This EFI (firmware) update was automatically installed along with the Yosemite 10.10.4 update. Or if you didn't install that, it would have appeared as a separate update under the App Store app.
There were also OS updates for Mountain Lion, Mavericks and Yosemite to block either version of Thunderstrike at the OS level.
About the security content of Mac EFI Security Update 2015-001 - Apple Support
About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005 - Apple Support
If you happened to have Thunderstrike already in the firmware before any of these, the firmware/EFI update MBP81.0047.B2A (2015-001) would remove it by way of replacing it on the EFI with the new firmware code.
Also, for any 2014 model or newer Mac, the original Thunderstrike can't be installed. The firmware itself had already been updated to block it. Thunderstrike 2 was blocked later at both the firmware and OS level.
Wow thanks Kurt, and thanks all, it never got into the wild and Apple seem to have done a **** good job of fixing it!
first line of the faq from the "discoverers" web page
https://trmm.net/Thunderstrike_FAQ
Is Thunderstrike "in the wild"?
To the best of our knowledge there are no Mac firmware bootkits in the wild and Thunderstrike is only a proof-of-concept that does not have any malicious payload.
A lot of these reports also leave out that the researchers who discovered how to infect the firmware via Thunderbolt reported the concept and handed over the working code to Apple so it could be patched before anyone could do something malicious with it.
I know, this is why I get my info from "the safe mac" and that's about as far as I go because I spend the rest of the day trying to clear up the nonsense with some exec at work who watched CNN or FOX and thinks their iPhone or fit-bit has been hacked to become an IED.
thunderstrike-2 once infected always infected?
