“As any nagging cybersecurity expert will tell you, keeping your software up to date is the brushing and flossing of digital security,” Andy Greenberg writes for Wired. “But even the most meticulous practitioners of digital hygiene generally focus on maintaining the updates of their computer’s operating system and applications, not its firmware. That obscure, reptile-brain code controls everything from a PC’s webcam to its trackpad to how it finds the rest of its software as it boots up.”
“Now one new study has found that the most critical elements of millions of Macs’ firmware aren’t getting updates,” Greenberg writes. “And that’s not because lazy users have neglected to install them, but because Apple’s firmware updates frequently fail without any notice to the user, or simply because Apple silently stopped offering those computers firmware updates—in some cases even against known hacking techniques.”
“At today’s Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple’s so-called extensible firmware interface, or EFI,” Greenberg writes. “Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple’s neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven’t kept pace with their operating system system updates. And for many models, Apple hasn’t released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim’s machine.”
“Overall, 4.2 percent of the Macs they tested had the wrong EFI version for their operating system version, suggesting they had installed a software update that somehow failed to update their EFI. For one desktop iMac, the late 2015 21.5 inch screen model, the researchers found failed EFI updates in 43% of machines. And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases,” Greenberg writes. “‘We don’t know why all the EFI updates aren’t taking, we know that they aren’t,’ says [Rich Smith, Duo’s director of research and development]. ‘And if it doesn’t work, the end user is never notified.'”
Much more in the full article here.
MacDailyNews Take: As Greenberg notes, the researchers chose Apple simply because its control of both hardware and software made it a far easier set of computers to analyze than Windows or Linux PCs, not because there’s any reason to think the company is less careful with its firmware than other computer makers)… “I suspect this problem is many times more severe on Windows than Mac,” says Thomas Reed, the head of Apple research at security firm MalwareBytes.
Apple provided a statement to Wired that reads, “In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure.”
Duo Security will be releasing a free tool “soon” called EFIgy that will makes it easy to check whether a Mac is running an EFI version with a known vulnerability. More info here.
Apple’s macOS High Sierra validates Mac firmware weekly, alerts users to possible security issues – September 25, 2017