CATEGORIES
home News

Millions Of Macs Left Vulnerable Without Critical EFI Firmware Security Updates From Apple

by Paul LillyFriday, September 29, 2017, 10:29 AM EDT
iMac

Around two years ago, researchers discovered serious firmware vulnerabilities in Mac laptops and desktops, and then developed a proof-of-concept worm to demonstrate how potentially damaging they could be. Since then, Apple has been pretty good about including EFI (extensible firmware interface) updates with its macOS security and software updates, though new evidence suggests it is not nearly enough.

This time around, researchers at Duo Security took a detailed look at the firmware used in Mac systems, and found them to be lacking. This is the part of the system that makes a series of checks and instructs core components what to do, before loading up the operating system—in this instance, macOS. Malicious code that is able to hide in firmware is difficult to detect, compared to malware  that might exist in the OS.

2015 iMac

While updates to firmware are important, they are kind of a pain, as they are implemented separately from OS updates. Perhaps for that reason Apple has not paid enough attention to its firmware. In a survey of 73,000 Mac systems, the researchers found that over 4 percent of them were not running the latest firmware release. And in some cases, such as the 21.5-inch iMac released in 2015, that number was 43 percent. Assuming those figures hold true on a larger scale, millions of Macs are running old firmware.

"Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version," Duo Security said.

That is a scary thought, considering that attacks at the firmware level are especially nasty—not only are they difficult to detect, they run a deep level and can persist even when nuking the storage device and clean installing the OS. Fortunately Apple is aware of the situation and seems receptive to the findings.

"We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge," Apple said in a statement. "Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."


Tags:  Firmware, Apple, security, Mac, (nasdaq:aapl, efi
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment