EFI firmware in millions of Macs don’t get the most critical elements of Apple’s updates; Windows and Linux PCs at risk, too

“As any nagging cybersecurity expert will tell you, keeping your software up to date is the brushing and flossing of digital security,” Andy Greenberg writes for Wired. “But even the most meticulous practitioners of digital hygiene generally focus on maintaining the updates of their computer’s operating system and applications, not its firmware. That obscure, reptile-brain code controls everything from a PC’s webcam to its trackpad to how it finds the rest of its software as it boots up.”

“Now one new study has found that the most critical elements of millions of Macs’ firmware aren’t getting updates,” Greenberg writes. “And that’s not because lazy users have neglected to install them, but because Apple’s firmware updates frequently fail without any notice to the user, or simply because Apple silently stopped offering those computers firmware updates—in some cases even against known hacking techniques.”

“At today’s Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple’s so-called extensible firmware interface, or EFI,” Greenberg writes. “Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple’s neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven’t kept pace with their operating system system updates. And for many models, Apple hasn’t released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim’s machine.”

“Overall, 4.2 percent of the Macs they tested had the wrong EFI version for their operating system version, suggesting they had installed a software update that somehow failed to update their EFI. For one desktop iMac, the late 2015 21.5 inch screen model, the researchers found failed EFI updates in 43% of machines. And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases,” Greenberg writes. “‘We don’t know why all the EFI updates aren’t taking, we know that they aren’t,’ says [Rich Smith, Duo’s director of research and development]. ‘And if it doesn’t work, the end user is never notified.'”

Much more in the full article here.

MacDailyNews Take: As Greenberg notes, the researchers chose Apple simply because its control of both hardware and software made it a far easier set of computers to analyze than Windows or Linux PCs, not because there’s any reason to think the company is less careful with its firmware than other computer makers)… “I suspect this problem is many times more severe on Windows than Mac,” says Thomas Reed, the head of Apple research at security firm MalwareBytes.

Apple provided a statement to Wired that reads, “In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure.”

Duo Security will be releasing a free tool “soon” called EFIgy that will makes it easy to check whether a Mac is running an EFI version with a known vulnerability. More info here.

Apple’s macOS High Sierra validates Mac firmware weekly, alerts users to possible security issues – September 25, 2017


  1. Perhaps that explains why I haven’t been able to upgrade to high Sierra yet because it errors out with some kind of “invalid Firmware” message. I’ve tried a couple of times… I’ve heard there are issues related to OWC SSD drives, but I’m trying to install onto a standard one.

  2. The problem with this Ars article and the study upon which it is based is that it does not differentiate between EFI firmware not being up to date and EFI firmware that is vulnerable to the attack vectors listed. Just because the EFI firmware is not up to date does not mean that it is vulnerable. There are many reasons to update EFI firmware that may have nothing to do with closing vulnerabilities to attack vectors.

    If the study is only pointing out Macs that are vulnerable then it should explicitly state that condition. On the other hand, as is most likely the case, they are listing all Macs that don’t have the most current EFI firmware for that machine, then they need to explicitly state what fraction of those machines are vulnerable to the attack vectors. To do otherwise is grossly misleading.

    Also neither the article nor the study upon which it is based differentiate between the number of Macs upon which EFI firmware updates were tried and failed to update versus the Macs in which the user didn’t try to update it. The article implies that all out of date EFI firmware is due to bad update mechanisms coming out of Apple. However, this is very likely untrue for some fraction of those 73,000 Macs in the study. Did the study team try to do an update on each of those Macs with out of date EFI firmware and see it fail to update? That is extremely unlikely.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.