Thunderstrike 2, because in order to grab headlines a security vulnerability needs a catchy code name.

Late last year we first heard about Thunderstrike, a vulnerability in Thunderbolt that allowed a nefarious person to rewrite the firmware on a Thunderbolt device. This was reported as a Macintosh flaw, but is really a flaw in Thunderbolt and EFI which mostly affects Macs because many PCs are still using BIOS and few PCs have Thunderbolt.

Basically, thunderbolt devices (like USB devices) have a bit of firmware embedded in them that tell computers what sort of device they are and what their capabilities are. It is possible to infect that firmware. The original vulnerability was addressed by Apple. This new vulnerability is a little different, but not in very important ways. Well, not important to someone who isn’t really interested in this stuff.

There’s a lot of scary headlines out there, and a lot of sloppy reporting and quite a bit of flat-out incorrect information. The summary version is: If your computer is up to date you are almost certainly not vulnerable. If your computer is not update there is a very slightly greater chance that you are vulnerable.

First of all, do you have ANY thunderbolt devices? No? Then you’re like most Mac users. Second of all. if you do have Thunderbolt devices, do you use them on multiple┬ácomputers? Third of all, are you in the habit of installing software from unknown sources (including pirated copies of software)?

Yes, this is something that needs to be fixed (and is being fixed, and has already been mostly fixed), but the level of Chicken Little flailing is really over the top. Keep your computer updated. That’s the best thing you can do.

By the way, there is a similar, but much more serious, vulnerability in USB named BadUSB; if you feel like panicking about an infection vector, that one is far more likely, cannot realistically be patched, and so far has no defense. It also can be used to attack any device with a USB port, be it computer, game console, television, etc.