A new study determined that there are critical elements of millions of Macs’ firmware that are not getting the updates along with the software updates. Unlike many other exploits that have been uncovered from people simply not updating their system, these updates to the firmware fail without notice, or Apple stopped offering firmware updates without people knowing.
A security firm, Duo, did the research that uncovered these vulnerabilities. They found that often Macs that had updated operating systems often had older EFI code. The EFI code is the firmware that runs before your operating system kicks in and has the potential to effect just about everything on your machine. If someone were to be able to plant the malicious code on your machine it may never be detected. Since the firmware operates outside the main operating system an antivirus scan wouldn’t detect it and wiping the computer’s hard drive wouldn’t remove it either.
Their study of around 73,000 machines found that around 4.2% of those tested had the wrong EFI version for their operating system, which suggests that there was a failed update somewhere along the line. In some cases specific models had higher instances. For the desktop iMac, the 2015 model showed 43% had failed EFI updates and some versions of the 2016 MacBook Pro had the wrong EFI version in about 25% of them.
Apple did comment on this stating that there is a feature in their new version of the MacOS, High Sierra, checks the computer’s EFI weekly to make sure there are not issues with the firmware.
While Apple was the focus of this study it does not mean that Windows users are safe. In fact, it may be worse for Windows and Linux users because PC users have to update their operating system and firmware separately.
However scary this may be there is some good news to all of it. In order for a hacker to take advantage of these vulnerabilities it would require a pretty complex hack to pull it off and likely isn’t worth their trouble unless they were highly motivated. Duo Labs also noted that they have not spotted anyone trying to make use of this loophole yet. If you are able to update to the latest version of MacOS High Sierra as previously mentioned, it will let you scan weekly for your firmware updates. Duo also has more details on their blog.