Thousands of Apple Macs vulnerable to un-patched firmware, regardless of operating system patching levels. The security firm Duo Labs recently set out to study the security of Mac firmware, more specifically the EFI (Extensible Firmware Interface) in Macs for the past three years. Think of EFI as the modern BIOS (Basic Input / Output System) manages the boot process of a computer system as well as communications between the operating system and other devices such as video, keyboard, printers, and mice.
Firmware vulnerabilities and attacks are of a particular concern because successful attacks provide attackers an extraordinary level of privilege because the firmware runs below the operating system and even hypervisors. This makes it easier for attackers to bypass security countermeasures. Essentially you want to keep the firmware up to date and secure and avoid it being compromised.
As Rich Smith and Pepijn Bruienne wrote in their blog post, in addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove - installing a new OS or even replacing the hard disk entirely is not enough to dislodge them,” they wrote.
Which is why Duo Labs’ research is concerning. Their research focused on how Apple manages the EFI firmware security for its Mac hardware. Duo Labs analyzed all Mac updates for the previous three years (versions 10.10.0 - 10.12.6), and they gathered the system metadata on 73,000 Macs running in-the-wild. “Once we had these two datasets, we analyzed them both independently and comparatively to explore the questions we had about the level of security support being afforded to a Mac’s EFI environment,” the team wrote.
What Duo Security found is that there are systems running in the wild where one would expect the EFI to have been updated, but aren’t, as well as the EFI security mac hardware varies. “There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running. This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. This means that users and admins are often blind to the fact that their system’s EFI may continue to be vulnerable,” the team wrote.
This isn’t good, and even knowledgeable users may assume that Apple would notify them when a firmware update is needed. But not only this, the amount of firmware support varies greatly from Apple Mac to Apple Mac. “The security support provided for EFI firmware depends on the hardware model of Mac. Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI,” they wrote.
Furthermore, the operating system a Mac is running would impact the firmware update. “The security support provided for EFI firmware also depends on the version of the OS a system is running. A Mac model running OS X 10.11 can receive distinctly different updates to its EFI than the same Mac model running MacOS 10.12. This creates the confusing situation where a system is fully patched and up to date with respect to its software, but is not fully patched with respect to its EFI firmware - we called this software secure but firmware vulnerable,” the wrote.
What does this mean for Apple Mac users? Duo Labs provided the following recommendations, and released some tools to help:
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!