Macs on a desk

Some Macs running up-to-date versions of their operating system may not be running the latest EFI firmware version, exposing users to firmware attacks, according to a 63-page report published today by security researchers from Duo Labs.

Experts made this discovery after collecting and analyzing telemetry data from over 73,000 real-world Mac systems. Researchers focused on Macs because of Apple's almost full control over their systems' hardware, unlike the world of Windows and Linux where users are entirely responsible for keeping their firmware up to date.

Results of Duo's research showed that Apple has been doing a poor job at delivering EFI firmware updates after it started packaging OS and EFI firmware updates together back in 2015.

The study's main findings, summarized, are below. Full results are on page 24 of the Duo report.

⯁ Some Mac models received regular EFI updates, others only after certain vulnerabilities came to light, while some Mac models have never received an EFI firmware patch.
⯁ 16 Mac models — listed in a table at the end of this article — have never received a firmware update.
⯁ The 2015 21.5” iMac has the highest occurrence rate of incorrect EFI firmware with 43% of sampled systems running incorrect versions.
⯁ 47 Mac models did not have firmware patches for the Thunderstrike 1 vulnerability
⯁ 31 Mac models did not have firmware patches for the Thunderstrike 2 vulnerability
⯁ Two recent OS updates contained the wrong EFI firmware (Security Update 2017-001 for 10.10 and 10.11)
⯁ 4.2% of all the Macs analyzed by Duo ran an EFI firmware version different from the one recommended by Apple

All in all, the research showed a lack of quality assurance in Apple's EFI firmware update process.

Low chance of encountering malware targeting your firmware

Despite the doom and gloom results, Duo says that the possibility that a user would be targeted by firmware-targeting malware is pretty low.

This is because firmware rootkits are notoriously difficult to code, requiring advanced coding knowledge, and would also need physical access to the target's device.

Such malware is expensive and in most cases, only nation-state cyberspies can afford to develop and use it. For example, the recent WikiLeaks Vault 7 leaks revealed that the CIA has a Mac firmware hacking tool called Sonic Screwdriver.

Finding EFI firmware-busting Mac malware in run-of-the-mill malware is most likely out of the question.

Duo promises app to let users check EFI firmware version

Nonetheless, users expect EFI firmware updates, not only for security patches but also for regular bugfixes. If not for the sake of security, Apple should put some effort into delivering firmware updates for other reasons.

Duo researchers also promised to release a Mac app that tells users if their system is running the latest recommended EFI firmware based on their system's hardware specs. The app will be published on this GitHub repository. Interested users should keep an eye on it.

Mac Model Version Number
iMac iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBook MacBook5,1; MacBook5,2
MacbookAir MacBookAir2,1
MacBookPro MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
MacPro MacPro3,1; MacPro4,1; MacPro5,1