Failed updates leave Mac computers at risk from targeted attacks on firmware

Failed updates leave Mac computers at risk from targeted attacks on firmware”

Duo Security was able to determine the state of the Mac EFI security because of Apple's move to bundle software and firmware updates, the release stated.

The EFI firmware of a computer is responsible for booting and controlling the functions of hardware devices and systems, helping the machine get from powering up to booting the operating system. Perhaps for that reason Apple has not paid enough attention to its firmware.

In its research, Duo Security looked at the versions of a type of software known as the extensible firmware interface (EFI) on a large population of Apple Mac computers now in use. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. "Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI".

Firmware is software installed into specialized hardware that is not meant to be altered by users.

Further analysis of Apple's updates also highlighted what seems to be the erroneous inclusion of 43 versions of EFI binaries in the 2017-001 security updates for 10.10 and 10.11 that were older than the versions of EFI binaries that were released in the previous updates 2016-003 (10.11) and 2016-007 (10.10).

"Some of them never received a firmware update", Rich Smith, Duo's director of research and development, told The Hill.

Several researchers had developed EFI attacks that some nation states were known to copy, he said.

The study found 47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike 1, while 31 models capable of the same did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.

One researcher recently demonstrated how such a vulnerability can be used to compromise a machine and access stored on it.

Variance from the expected EFI firmware versions is also markedly different across versions of the OS: macOS 10.12 (Sierra) had significantly higher average rate of deviance at 10 per cent. "The worst possible state for users is to be under the assumption that they are secure after updating their system, when in fact, their actual security posture is very different than what they believe it to be". "Users of the 21.5" iMac released in 2015 should be concerned, as 43% of those sampled systems had incorrect firmware.

This approach is no longer sustainable, according to Duo Security, which advocates that EFI firmware updates should be delivered and applied alongside OS or security updates.

While the flaws only affect a comparatively small number of users, they still represent a security issue.

Duo Security hope that the 'The Apple of Your EFI: Findings From an Empirical Study of EFI Security' will encourage all vendors to improve EFI security, given how it's nearly impossible to discover is such systems have been hacked in the case of a successful attack.

Apple welcomed the research and said it was improving how it updated machines.

Like this


29 September 2017
Saints to kneel before, stand during anthem Sunday
Brees says that the team will kneel before the national anthem on Sunday, but stand for the playing of the song, as a team. Trump has been locked in a feud with NFL players, owners and league officials over the symbolic protests.

29 September 2017
Macron says Britain could have a place in 'reformed' EU
To deal with Europe's migration flux, Mr Macron wants a European asylum agency and standard EU identity documents. It was not immediately clear whether Macron had managed to go beyond slogans as far as Merkel was concerned.

29 September 2017
Donald Trump called Jerry Jones multiple times about anthem protest
About 20 minutes later, he turned around and praised the team for standing during the anthem , saying , "Big progress being made". The public address announcer at University of Phoenix Stadium informed the crowd of the Cardinals' plan as it unfolded.

29 September 2017
Mars Base Camp: Lockheed Martin's Red Planet Plan in Pictures
After the completion of the mission, which could last up to two weeks, the lander would ferry the astronauts back to the orbiter. It is from the Deepspace Gateway that the Mars Base Camp would be constructed and launched into Martian orbit.

29 September 2017
Ford To Partner With Lyft On Self-Driving Car Deployment
Lyft is said to considering accepting a $1 billion investment from Alphabet, whose Google unit invested in Uber, per the Journal. General Motors invested $500 million into Lyft past year and is also working with the company on self-driving vehicles.

29 September 2017
Gary Lineker in row with Ukip over party's new logo
If they (the Premier League) feel they have a right to take legal action I'm sure they'll consult with their lawyers. A lion is typically associated with feelings like bravery, strength and - through its link to royalty - tradition.

29 September 2017
Trump to 'Confront North Korea Threat' on Asia Tour
President Donald Trump will directly confront the issue of North Korea's nuclear programme by traveling to Asia in November. He will visit Japan , China , South Korea , Vietnam , the Philippines and the USA state of Hawaii for an 11-day trip.

29 September 2017
Bali volcano ready to erupt, volcanologist says
Evacuation started last week after officials issued the highest level alert, meaning an eruption was imminent. About 100,000 people have been already evacuated from their homes around the mountain.

29 September 2017
United Technologies Corporation Stocks Unloaded By CHICAGO TRUST Co NA
The conglomerate reported $1.85 earnings per share (EPS) for the quarter, topping the Zacks' consensus estimate of $1.78 by $0.07. The Company operates through four segments: Otis; UTC Climate, Controls & Security; Pratt & Whitney, and UTC Aerospace Systems.

29 September 2017
Oil Prices up on Refineries Rebound
Brent's premium over USA crude widened to a more than two-year high this week, in part due to reduced demand stemming from Harvey.