EFI Flash Memory Security Holes patched in OS X Mavericks and Mountain Lion

Apple released Mac EFI Security Update 2015-001 on Monday, a security update for Mountain Lion and Mavericks that patches two flaws dealing with EFI Flash memory. Both flaws would have allowed the bad guys to take over your Mac.

advertisement:

Apple says:

Mac EFI Security Update 2015-001
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: A malicious application with root privileges may be able to modify EFI flash memory
Description: An insufficient locking issue existed with EFI flash when resuming from sleep states. This issue was addressed through improved locking.
CVE-ID
CVE-2015-3692 : Trammell Hudson of Two Sigma Investments, Xeno Kovah and Corey Kallenberg of LegbaCore LLC, Pedro Vila├ža
EFI
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: A malicious application may induce memory corruption to escalate privileges
Description: A disturbance error, also known as Rowhammer, exists with some DDR3 RAM that could have led to memory corruption. This issue was mitigated by increasing memory refresh rates.
CVE-ID
CVE-2015-3693 : Mark Seaborn and Thomas Dullien of Google, working from original research by Yoongu Kim et al (2014)


Posted by Antony at June 30, 2015 11:04 PM

>> more MacCentre701 June 2015 reports.