What is EFI firmware?
EFI stands for Extensible Firmware Interface - the interface between the operating system and microprograms controlling low-level hardware functions. Its main purpose is to correctly initialize the equipment when the system is turned on and transfer control to the operating system loader. EFI is designed to replace the BIOS interface, which is traditionally used by all IBM PC-compatible personal computers. The first EFI specification was developed by Intel, later the first version was abandoned and the latest version of the standard is called the Unified Extensible Firmware Interface (UEFI). Currently, UEFI is developing the Unified EFI Forum.
What is DUO security and what did they research?
DUO is a security company. According to official website, they combine security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era. It’s so simple and effective, you get the freedom to focus on your mission and leave protection to us.
So, DUO team analyzed:
- All Apple Mac updates released over the last three years (10.10.0 - 10.12.6) to produce a taxonomy of EFI updates
- They gathered OS version, build number, Mac model version, and EFI firmware version from over 73,000 real-world Mac systems deployed in organizations across a number of industry verticals to give us a large dataset of the Apple EFI environments that are in production use
- Then they analyzed them both independently and comparatively to explore the questions we had about the level of security support being afforded to a Mac’s EFI environment.
- Correlated the Mac models and OS versions that had EFI updates made available
- We also took time to reverse engineer the way in which the Apple EFI firmware update tools operate, select and apply EFI updates
As reported by Wired, they found out that for certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.
There’s this mantra about keeping your system up to date: Patch, patch, patch, and if you do you’ll be running faster than the bear, you’ll be in a good state. But we're seeing cases where people have done what they’d been told, installed these patches, and there were no user warnings that they were still running the wrong version of EFI...Your software can be secure while your firmware is insecure, and you're completely blind to that.
Director of research and development, Duo
In general, 4.2 % of the Macs Duo tested had the wrong EFI version for their operating system version, suggesting they had installed a software update that somehow failed to update their EFI. For some specific models, the results were far worse: For one desktop iMac, the late 2015 21.5 inch screen model, the researchers found failed EFI updates in 43% of machines. And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates.
The Duo researchers couldn't determine why Macs were failing to get firmware updates. But unlike an operating system update failure, an EFI update failure doesn't trigger any alert for the user.
We don’t know why all the EFI updates aren’t taking, we know that they aren’t. And if it doesn’t work, the end user is never notified.
Director of research and development, Duo
What does it means to a final user?
The state of your Mac’s EFI firmware may not be what you expect it to be, and in a number of circumstances, this may leave you vulnerable to a variety of known public EFI security issues.
What should user do?
The basic advices from Due are follows:
- Check if you’re running the latest version of EFI for your system.
- If possible, update to the latest version of the OS 10.12.6. This will not only give you the latest versions of EFI firmware released by Apple, but also make sure you’re patched against known software security issues as well.
- If you’re not able to update to version 10.12.6 either because your hardware is not able to run it, or because you need to run an older version for software compatibility reasons, you may be out of luck and not be able to run the most up-to-date EFI firmware
- Check if you’re running a Mac that is on the list of hardware that hasn’t received an EFI update. If it is, you may be out of luck and not able to run up-to-date EFI firmware
You can have more information at full Duo and in the manual.