Firmware in many Macs isn't getting updates

According to Duo Security research, Apple's EFI firmware can be out of dated on many devices
02 October 2017   1216

What is EFI firmware?

EFI stands for Extensible Firmware Interface - the interface between the operating system and microprograms controlling low-level hardware functions. Its main purpose is to correctly initialize the equipment when the system is turned on and transfer control to the operating system loader. EFI is designed to replace the BIOS interface, which is traditionally used by all IBM PC-compatible personal computers. The first EFI specification was developed by Intel, later the first version was abandoned and the latest version of the standard is called the Unified Extensible Firmware Interface (UEFI). Currently, UEFI is developing the Unified EFI Forum.

What is DUO security and what did they research? 

DUO is a security company. According to official website, they combine security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era. It’s so simple and effective, you get the freedom to focus on your mission and leave protection to us.

So, DUO team analyzed:

  • All Apple Mac updates released over the last three years (10.10.0 - 10.12.6) to produce a taxonomy of EFI updates
  • They gathered OS version, build number, Mac model version, and EFI firmware version from over 73,000 real-world Mac systems deployed in organizations across a number of industry verticals to give us a large dataset of the Apple EFI environments that are in production use
  • Then they analyzed them both independently and comparatively to explore the questions we had about the level of security support being afforded to a Mac’s EFI environment.
  • Correlated the Mac models and OS versions that had EFI updates made available
  • We also took time to reverse engineer the way in which the Apple EFI firmware update tools operate, select and apply EFI updates

As reported by Wired, they found out that for certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine. 

There’s this mantra about keeping your system up to date: Patch, patch, patch, and if you do you’ll be running faster than the bear, you’ll be in a good state. But we're seeing cases where people have done what they’d been told, installed these patches, and there were no user warnings that they were still running the wrong version of EFI...Your software can be secure while your firmware is insecure, and you're completely blind to that.
 

Rich Smith
Director of research and development, Duo

In general, 4.2 % of the Macs Duo tested had the wrong EFI version for their operating system version, suggesting they had installed a software update that somehow failed to update their EFI. For some specific models, the results were far worse: For one desktop iMac, the late 2015 21.5 inch screen model, the researchers found failed EFI updates in 43% of machines. And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates.

The Duo researchers couldn't determine why Macs were failing to get firmware updates. But unlike an operating system update failure, an EFI update failure doesn't trigger any alert for the user.

We don’t know why all the EFI updates aren’t taking, we know that they aren’t. And if it doesn’t work, the end user is never notified.
 

Rich Smith
Director of research and development, Duo

What does it means to a final user?

The state of your Mac’s EFI firmware may not be what you expect it to be, and in a number of circumstances, this may leave you vulnerable to a variety of known public EFI security issues.

What should user do?

The basic advices from Due are follows:

  • Check if you’re running the latest version of EFI for your system.
  • If possible, update to the latest version of the OS 10.12.6. This will not only give you the latest versions of EFI firmware released by Apple, but also make sure you’re patched against known software security issues as well.
  • If you’re not able to update to version 10.12.6 either because your hardware is not able to run it, or because you need to run an older version for software compatibility reasons, you may be out of luck and not be able to run the most up-to-date EFI firmware
  • Check if you’re running a Mac that is on the list of hardware that hasn’t received an EFI update. If it is, you may be out of luck and not able to run up-to-date EFI firmware

You can have more information at full Duo and in the manual.

MacOS High Sierra Can be Hacked Thru Wi-Fi

Corporation eliminated it with the release of macOS 10.13.6 in July 2018, but unupdated computers are still vulnerable
13 August 2018   518

The chief security officer at Fleetsmith Jesse Endahl and the Dropbox engineer Max Belanger found a way to compromise Apple's computers with MacOS High Sierra to version 10.13.6 when the device connects to Wi-Fi for a first time. Attackers can hack the device before the first start of the system. This is is reported by Digital Trends.

We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time. By the time they’re logging in, by the time they see the desktop, the computer is already compromised.
 

Jesse Endahl

CSO, Fleetsmith

According to experts, the errors are in the tools for the remote access called Device Enrolment Program (DEP) and Mobile Device Management (MDM). When you connect to Wi-Fi for the first time, the laptop connects to Apple's servers and, if its serial number coincides with the company's identifiers, it starts downloading corporate programs from the list in the manifest file. MDM does not require a certificate of authenticity, so hackers can replace the original file with an arbitrary file with its own list of software.

The researchers told Apple about the vulnerability, and the corporation eliminated it with the release of macOS 10.13.6 in July 2018. Computers with older versions of the OS remain vulnerable.

In November 2017, experts discovered a vulnerability in the macOS High Sierra, which allowed root privileges to be received in a couple of clicks. Then the corporation released a bug fix the very next day.