Millions Of Macs Left Vulnerable Without Critical EFI Firmware Security Updates From Apple
Around two years ago, researchers discovered serious firmware vulnerabilities in Mac laptops and desktops, and then developed a proof-of-concept worm to demonstrate how potentially damaging they could be. Since then, Apple has been pretty good about including EFI (extensible firmware interface) updates with its macOS security and software updates, though new evidence suggests it is not nearly enough.
While updates to firmware are important, they are kind of a pain, as they are implemented separately from OS updates. Perhaps for that reason Apple has not paid enough attention to its firmware. In a survey of 73,000 Mac systems, the researchers found that over 4 percent of them were not running the latest firmware release. And in some cases, such as the 21.5-inch iMac released in 2015, that number was 43 percent. Assuming those figures hold true on a larger scale, millions of Macs are running old firmware.
That is a scary thought, considering that attacks at the firmware level are especially nasty—not only are they difficult to detect, they run a deep level and can persist even when nuking the storage device and clean installing the OS. Fortunately Apple is aware of the situation and seems receptive to the findings.
"We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge," Apple said in a statement. "Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly."