Apple Mac fans told: Something smells EFI in your firmware

Pre-boot software on Macs is often outdated, leaving Apple fans at a greater risk of malware attack as a result, according to new research.

An analysis of 73,000 Apple Macs by Duo Security found that users are unknowingly exposed to sophisticated malware-based attacks because of outdated firmware. On average, 4.2 per cent of real-world 73,324 Macs used in the enterprise environments analysed are running an EFI firmware version that’s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.

In one iMAC model (21.5” late 2015) analysed 43 per cent (941 out of 2,190) were running outdated, insecure firmware. Three variants of the late 2016 13” MacBook Pro show rates of deviance between 35 per cent and 25 per cent. Two variants of the early 2011 MacBook Pro showing a deviance from expected EFI firmware versions of 15 per cent and 12 per cent.

Variance from the expected EFI firmware versions is also markedly different across versions of the OS: macOS 10.12 (Sierra) had significantly higher average rate of deviance at 10 per cent. This is followed by OS X 10.11 (El Capitan) with 3.4 per cent and OS X 10.10 (Yosemite) with 2.1 per cent.

Patched apps, obsolete firmware

The research shows that Mac fans might easily be running systems that are fully up to date for OS and applications but years out of date in terms of EFI firmware, leaving their Mac computers vulnerable to publicly disclosed vulnerabilities and exploitation.

A total of 3,400 (4.6 per cent) of the 70K Macs analysed threw up systems supported by Apple that continue to receive software security updates, but have not received EFI firmware updates.

Sixteen combinations of Mac hardware and OSs have never received any EFI firmware updates over the lifetime of the 10.10 to 10.12 versions of OS X/macOS that Duo Security analysed. They do, however, continue to receive security updates from Apple for their OS and bundled software.

Researchers were taken aback by the update gap.

“The size of this discrepancy is somewhat surprising, given that the latest version of EFI firmware should be automatically installed alongside the OS updates,” according to Duo Security. “As such, only under extraordinary circumstances should the running EFI version not correspond to EFI version released with the running OS version.”

Thunderstruck

Security flaws in firmware could expose users to the Thunderstrike vulnerability. Attacks originally developed by the NSA and exposed in the WikiLeaks Vault 7 data dumps also rely on out-of-date firmware.

Duo Security said its research raised questions about the level of QA being afforded to these EFI firmware updates in comparison to the much better job Apple is doing with software security updates.

Further analysis of Apple’s updates also highlighted what seems to be the erroneous inclusion of 43 versions of EFI binaries in the 2017-001 security updates for 10.10 and 10.11 that were older than the versions of EFI binaries that were released in the previous updates 2016-003 (10.11) and 2016-007 (10.10).

This would indicate a regression or a release QA failing where incorrect versions of EFI firmware were shipped in OS security updates.

Duo speculates that something might be interfering with the way bundled EFI firmware updates are getting installed, leading to systems running old EFI versions.

Part of the problem is that there is very little visibility to the state of EFI firmware security for Apple systems. There are no published timelines for how long EFI firmware will be supported for firmware patches, or any lists of which systems are no longer going to receive firmware updates, despite continuing to receive software security updates. Enterprise patch deployment tools may also be an issue, in at least some cases.

But part of the firmware security gap could be the fault of BOFHs rather than Apple. Mac sysadmins too often ignore the importance of EFI firmware updates, or actively remove them due to past issues with their deployment. The process of applying EFI firmware updates used to be a laborious process that required hands-on interaction by IT support staff.

Due to this, many Mac sysadmins over time decided to remove or disable the deployment of EFI firmware updates alongside OS or security updates, deciding to “deal with it” as needed.

This approach is no longer sustainable, according to Duo Security, which advocates that EFI firmware updates should be delivered and applied alongside OS or security updates. ®