Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

A new research paper from Duo Security, shared by Ars Technica, reveals that a significant number of Macs are running out-of-date EFI versions, leaving them susceptible to critical pre-boot firmware exploits.

macos high sierra trio
The security firm analyzed 73,324 Macs used in production environments and found that, on average, 4.2 percent of the systems were running the incorrect EFI version relative to the model and version of macOS or OS X installed.

The percentage of incorrect EFI versions varies greatly depending on the model. The late 2015 21.5" iMac had the highest occurrence of incorrect EFI firmware, with 43 percent of systems running incorrect versions.

EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS. EFI operates at a lower level than both the operating system and hypervisors, providing attackers with a greater level of control.

Successful attack of a system's UEFI implementation provides an attacker with powerful capabilities in terms of stealth, persistence, and direct access to hardware, all in an OS and VMM independent manner.

Duo Security found that 47 models capable of running OS X Yosemite, OS X El Capitan, or macOS Sierra, for example, did not have an EFI security patch for the Thunderstrike exploit publicly disclosed nearly three years ago.

The research paper noted that there seems to be something interfering with the way bundled EFI updates are installed alongside macOS, while some Macs never received EFI updates whatsoever, but it doesn't know exactly why.

There seems to be something interfering with the way bundled EFI firmware updates are getting installed, leading to systems running old EFI versions. We are not able to give an exact reason why, but there are significant discrepancies between the firmware version that is actually running on real world production systems and the version that is expected to be running, given the OS build. This means that even if your Mac is still receiving security patch support, there is a non-trivial chance that your system is not running the latest version, even though you thought it was installed.

While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

In response to the research paper, Apple said it appreciates the research on the industry-wide issue and noted that macOS High Sierra automatically validates a Mac's EFI on a weekly basis to ensure it hasn't been tampered with.

We appreciate Duo's work on this industry-wide issue and noting Apple’s leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.

In a related blog post, Duo Security said users should check if they are running the latest version of EFI on their Macs, and it has released a tool to help do so. It also recommends updating to the latest version of macOS High Sierra.

Top Rated Comments

rpmurray Avatar
52 months ago
In response to the research paper, Apple said it appreciates the research on the industry-wide issue and noted that ONLY macOS High Sierra automatically validates a Mac's EFI ('https://www.macrumors.com/2017/09/25/macos-high-sierra-weekly-efi-security-check/') on a weekly basis to ensure it hasn't been tampered with. Anyone running Macs with an earlier OS (like Sierra or the ancient El Capitan) or a Mac that can't be updated to run High Sierra are SOL.
Score: 10 Votes (Like | Disagree)
840quadra Avatar
52 months ago
4.2% huh, I imagine most of those are in fact Hackintoshes, which are modified EFI to begin with.... I wonder what percent it would be if those were excluded?
I am not sure how many Hackintoshes are in production environments though. It appears that they did this study directly, not using web metrics.

I am sure there are some hackintosh computers being used commercially, though I would expect they would be excluded from such a study. Nevermind completely illegal, exposing those companies to potentially serious lawsuits.
Score: 8 Votes (Like | Disagree)
chrfr Avatar
52 months ago
4.2% huh, I imagine most of those are in fact Hackintoshes, which are modified EFI to begin with.... I wonder what percent it would be if those were excluded?
If you read through the paper, you'll see that these are not Hackintoshes. The guys who wrote this paper are well aware of the details.
[doublepost=1506697970][/doublepost]
This is an old research. I just found out that even when you have the most up to date firmware you still doomed. :D
No, this isn't old.
Score: 8 Votes (Like | Disagree)
jayducharme Avatar
52 months ago
Buy a Mac they said...

Macs can’t get viruses they said...
Well, technically they still can't, not in the way PCs do. But they're still a computer susceptible to hacking.

This discovery gives yet another good reason for always updating your Mac to the latest OS (if your hardware supports it, obviously). Sometimes Apple patches problems before we even know they exist.
Score: 8 Votes (Like | Disagree)
triptolemus Avatar
52 months ago
Can someone explain to me why it's a good idea to download a tool that interacts with the EFI firmware from a third party off of something called Github?
Score: 8 Votes (Like | Disagree)
sos47 Avatar
52 months ago
it hurts me. update to High Sierra not possible. iMac 2011
Score: 6 Votes (Like | Disagree)

Top Stories

apple california streaming event

Apple Event Announced: 'California Streaming' on September 14 With iPhone 13, Apple Watch Series 7 Expected

Tuesday September 7, 2021 9:03 am PDT by
Apple today announced that it will be holding a special event on Tuesday, September 14 at 10:00 a.m. The event will take place at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with WWDC and last year's fall events, this new event will be held digitally with no members of the media invited to attend in person. Apple will likely provide pre-taped segments for...
Apple Prefer Lightning Over USB C Feature

iPhone Sticking With Lightning Port Over USB-C for 'Foreseeable Future'

Tuesday March 2, 2021 9:32 am PST by
Apple will retain the Lightning connector on the iPhone for the "foreseeable future," with no intention of switching to USB-C, according to reliable analyst Ming-Chi Kuo. In spite of much of the industry moving toward USB-C, Apple will not be using it to replace the Lightning connector on the iPhone 13, or indeed on any iPhone model for the time being. In a note seen by MacRumors yesterday,...
iphone 12 colors 2021

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived in October 2020 in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone...
it home ecommerce app iphone 13

iPhone 13 to Launch on September 17, AirPods 3 on September 30, Claims Report

Wednesday August 25, 2021 2:42 am PDT by
Apple may be planning to launch the iPhone 13 on Friday, September 17 and third-generation AirPods on Thursday, September 30, according to an image of an e-commerce app discovered by Chinese language site IT Home. The screenshot, originally posted by Weibo account @PandaIsBald, suggests all four iPhone 13 models will go on sale on September 17, followed by the AirPods 3 on September 30....
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
maroon5memories

Apple Collaborates With Maroon 5 to Add 'Memories' Song to Photos App

Wednesday September 25, 2019 12:02 pm PDT by
Apple has teamed up with Maroon 5 to add the group's new song "Memories" to the Memories feature in the Photos app, allowing it to be used for photo slide show creations, reports Billboard. "Memories" will be available as a soundtrack option for a limited time and it is available to iPhone and iPad users running the latest iOS 13 and iPadOS software. Memories in the Photos app are created ...
ulysses Blog Publishing

Ulysses 22 Brings New Blogging Options and Visual Customizations

Monday March 22, 2021 5:24 am PDT by
Popular writing app Ulysses today received its 22nd major release, introducing new publishing features and additional options for users to customize the visual appearance of their writing environment. As well as providing a focused writing environment, Ulysses offers ways to publish texts from within the app to various blogging platforms. Version 22 adds the ability to publish to Micro.blog, ...
affinity designer contour tool

Serif Updates Affinity Photo, Designer, and Publisher With New Tools and Functions

Thursday February 4, 2021 1:58 am PST by
Serif today announced across-the-board updates for its popular suite of Affinity creative apps, including Affinity Photo, Affinity Designer, and the Apple award-winning Affinity Publisher for Mac, all of which were among the first professional creative suites to be optimized for Apple's new M1 chip. "After another year which saw record numbers of people switching to Affinity, it's exciting to...