4.2% of Macs Fail to Update Firmware, Vulnerable to Exploits

Routine software updates, among other things, are meant to protect your device against known security exploits and vulnerabilities. But according to a new report, macOS updates might be leaving out important patches that are critical for security.

In a recent survey of more than 73,000 Mac computers, researchers at Duo Security found that an alarming number of Mac machines — about 4.2 percent — were running outdated EFI firmware relative to the version of macOS installed. In most cases, routine software updates either skipped updating the firmware, or the firmware installation was unsuccessful, according to Duo’s whitepaper on the topic.

EFI, or Extensible Firmware Interface, is the software on a computer’s motherboard that runs when a Mac is powered on. Since it’s such a core, under-the-hood part of the Mac platform, it leaves Macs with outdated firmware dangerously vulnerable to attack. And unlike other vulnerabilities, these firmware attacks offer malicious entities “powerful capabilities in terms of stealth, persistence and direct access to hardware,” Duo’s research paper notes.

In other words, compromising a computer’s EFI allows an attacker dangerous control over the system as it can bypass high-level security features. Worse still, it’s extremely hard to detect if a system has been compromised, and once it is, it is very hard to fix. EFI infections can even survive entire hard drive wipes or clean installs of an OS.

Duo Security’s research found that 47 of the Macs they surveyed, which were capable of running either OS X Yosemite, OS X El Capitan or macOS Sierra, did not have the appropriate EFI patch for the Thunderstrike vulnerability — a dangerous exploit that allowed attackers to install malicious code without a user’s knowledge. Thunderstrike was first discovered three years ago.

As to why Macs aren’t receiving these vital updates, the research paper notes that there seems to be an issue with the way that EFI patches are bundled with standard macOS software updates. In the cases where Macs received no EFI update at all, Duo said that it’s unclear why.

“This means that even if your Mac is still receiving security patch support, there is a non-trivial chance that your system is not running the latest version, even though you thought it was installed,” Duo wrote. Even though Duo’s research focused on Apple machines, the security firm noted that similar — if not worse — EFI issues are present on PCs running various versions of Windows or Linux.

“We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge,” Apple wrote in a statement provided to ARS Technica. “Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems more secure.” Additionally, Apple noted that macOS High Sierra automatically conducts a weekly validation of a Mac’s EFI to ensure that it’s up-to-date and hasn’t been tampered with.

If you’re concerned about your own Mac platform, Duo Security said in a blog post that it offers a tool to help you figure out which version EFI you’re running. As always, it’s also recommended that you update your Mac to the latest version of macOS High Sierra.