Apple touts its closed ecosystem as a security advantage. Because it tightly controls its hardware and software, Apple can push security updates much more quickly than an open system like Android. But researchers at Duo Security say that Apple’s security update system hasn’t been working exactly as intended, with thousands of Macs not getting proper firmware updates.
Firmware sits below a Mac’s operating system and runs as the computer is booting up. Security vulnerabilities in firmware are difficult to detect and fix, so it’s often a target for sophisticated attacks—Wikileaks’ Vault 7 dump, for example, showed that the CIA had developed a firmware exploit for Macs.
Apple has worked to improve firmware updates in High Sierra, its latest operating system. In High Sierra, users will get weekly checks to make sure their firmware is up to date and will be invited to send a report to Apple if the check fails.
Duo analyzed more than 73,000 Mac systems to come up with its findings. Of the machines surveyed by Duo, about 4.2 percent weren’t running the correct version of the firmware, the researchers claim.
“Our research has shown there are considerable discrepancies in how Apple provides security support to its EFI firmware as compared to how they support the security of the OS and software,” Duo researchers wrote in their findings.
Duo also noted that there are likely firmware issues on computers manufactured by other companies, but Apple’s update system makes it easier to track and identify them. “We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly,” an Apple spokesperson told Gizmodo.
However, this isn’t cause to hurl your MacBook into the ocean. If you’re a home user, you’re probably not at risk, according to the folks at Duo. Firmware exploits aren’t easy to pull off and everyday users aren’t likely targets.
“If you’re a home user with a Mac that falls into one of the above categories as their personal computing device, then the sky isn’t falling for you, in our opinion. Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high value targets in their sights,” Duo said. “Most everyday home users fall well outside of this attack model, and thankfully, as far as we are aware, there are not any EFI exploits that are being used as part of commodity exploit kits, malware, or ransomware that has been detected in the wild.”
However, enterprise users should be a bit more concerned. Duo recommends that businesses phase out old Macs that cannot get the latest firmware update or isolate those machines from sensitive networks. And of course, all users should make sure they update to the latest OS so they get the most recent security updates.
Updated at 7:45 p.m. to include comment from Apple.