Failed updates leave Mac computers at risk from targeted attacks on firmware
The Extensible Firmware Interface (EFI) has steadily replaced BIOS in recent years as means of booting and controlling hardware devices.
Mac systems have used EFI since 2006 but an analysis by Duo Labs, the research arm of Duo Security, of more than 73,000 Mac systems finds that in many cases the EFI is not receiving security updates, leaving users vulnerable to attacks.
In 2015 Apple began to bundle software and firmware updates in order to ensure systems had the most current firmware security. Duo Labs' analysis looked at the updates released in the last three years and compared the actual EFI security state to the expected state.
Among the findings are that users running a version of MacOS/OS X older than the latest major release (High Sierra) likely have EFI firmware that has not received the latest fixes for known issues. This can leave these systems software secure but firmware vulnerable. On average, 4.2 percent of real-world Macs used in production environments analyzed are running an EFI firmware version that’s different from the one they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.
At least 16 models of Mac have never received any EFI firmware updates. The 21.5-inch iMac, released in late 2015, has the highest occurrence of incorrect EFI firmware with 43 percent of sampled systems running incorrect versions.
The study found 47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike 1, while 31 models capable of the same did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.
In addition two recent security updates issued by Apple (Security Update 2017-001 for 10.10 and 10.11) contained the wrong firmware with the update, indicating a possible lapse in quality assurance.
"Firmware is an often overlooked yet vital component of a system's security structure," says Rich Smith, Duo's director of research and development. "The sophisticated and targeted nature of firmware attacks should be of particular concern to those who have higher security clearance or access to sensitive information at their respective organizations. The worst possible state for users is to be under the assumption that they are secure after updating their system, when in fact, their actual security posture is very different than what they believe it to be."
There's no doubt that Apple has done the right thing by bundling EFI updates with the OS as it means more people receive them. However, it's hard for users to know if they have the latest version of the EFI and there's no notification if the update doesn't work.
More information on the problem and how to check if your Mac is affected can be found on the Duo Labs blog.