“Always keep your operating system and software up-to-date.”
This is one of the most popular and critical advice that every security expert strongly suggests you to follow to prevent yourself from major cyber attacks.
However, even if you attempt to install every damn software update that lands to your system, there is a good chance of your computer remaining outdated and vulnerable.
Researchers from security firm Duo Labs analysed over 73,000 Macs systems and discovered that a surprising number of Apple Mac computers either fails to install patches for EFI firmware vulnerabilities or doesn’t receive any update at all.
Apple uses Intel-designed Extensible Firmware Interface (EFI) for Mac computers that work at a lower level than a computer’s OS and hypervisors—and controls the boot process.
EFI runs before macOS boots up and has higher-level privileges that, if exploited by attackers, could allow EFI malware to control everything without being detected.
“In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove—installing a new OS or even replacing the hard disk entirely is not enough to dislodge them,” Duo researchers say.
What’s worse? In addition to neglecting to push out EFI updates to some systems, Apple does not even warn its users of the failed EFI update process or technical glitch, leaving millions of Macs users vulnerable to sophisticated and advanced persistent cyber attacks.
On average, Duo said 4.2% of 73,324 real-world Macs used in the enterprise environments were found running a different EFI firmware version they should not be running—based on the hardware model, the operating system version, and the EFI version released with that OS.
You will be surprised by knowing the numbers for some specific Mac models—43% of the analysed iMac models (21.5″ of late 2015) were running outdated, insecure firmware, and at least 16 Mac models had never received any EFI firmware updates when Mac OS X 10.10 and 10.12.6 was available.
“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates,” Duo researchers say.
“Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version,”
Duo also found 47 models that were running 10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware update with patches to address the known vulnerability, Thunderstrike 1.
While 31 models did not get the EFI firmware patch addressing the remote version of the same flaw, Thunderstrike 2.
The Thunderstrike attacks, initially developed by the National Security Agency (NSA), were also exposed in the WikiLeaks Vault 7 data dumps, which also mentioned the attack relies on the outdated firmware.
More details on the vulnerable Mac models can be found in the Duo Labs research report.
According to the researchers, their research was focused on the Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack, but it can be widely deployed.
“However, we are of the belief that the main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple,” the researchers said.
Enterprises with a large number of Mac computers should review their models outlined in the Duo Labs whitepaper, “The Apple of Your EFI: Findings From an Empirical Study of EFI Security,” to see if their models are out-of-date.
Mac users and administrators can also check if they are running the latest version of EFI for their systems by using free open-source tool EFIgy, which will soon be made available by the company.