Failed updates leave Mac computers at risk from targeted attacks on firmware

Failed updates leave Mac computers at risk from targeted attacks on firmware”

Duo Security was able to determine the state of the Mac EFI security because of Apple's move to bundle software and firmware updates, the release stated.

The EFI firmware of a computer is responsible for booting and controlling the functions of hardware devices and systems, helping the machine get from powering up to booting the operating system. Perhaps for that reason Apple has not paid enough attention to its firmware.

In its research, Duo Security looked at the versions of a type of software known as the extensible firmware interface (EFI) on a large population of Apple Mac computers now in use. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. "Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI".

Firmware is software installed into specialized hardware that is not meant to be altered by users.

Further analysis of Apple's updates also highlighted what seems to be the erroneous inclusion of 43 versions of EFI binaries in the 2017-001 security updates for 10.10 and 10.11 that were older than the versions of EFI binaries that were released in the previous updates 2016-003 (10.11) and 2016-007 (10.10).

"Some of them never received a firmware update", Rich Smith, Duo's director of research and development, told The Hill.

Several researchers had developed EFI attacks that some nation states were known to copy, he said.

The study found 47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike 1, while 31 models capable of the same did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.

One researcher recently demonstrated how such a vulnerability can be used to compromise a machine and access stored on it.

Variance from the expected EFI firmware versions is also markedly different across versions of the OS: macOS 10.12 (Sierra) had significantly higher average rate of deviance at 10 per cent. "The worst possible state for users is to be under the assumption that they are secure after updating their system, when in fact, their actual security posture is very different than what they believe it to be". "Users of the 21.5" iMac released in 2015 should be concerned, as 43% of those sampled systems had incorrect firmware.

This approach is no longer sustainable, according to Duo Security, which advocates that EFI firmware updates should be delivered and applied alongside OS or security updates.

While the flaws only affect a comparatively small number of users, they still represent a security issue.

Duo Security hope that the 'The Apple of Your EFI: Findings From an Empirical Study of EFI Security' will encourage all vendors to improve EFI security, given how it's nearly impossible to discover is such systems have been hacked in the case of a successful attack.

Apple welcomed the research and said it was improving how it updated machines.

Like this


29 September 2017
Tom Curran replaces Chris Woakes as England target 4-0 series win
Jason Holder had to fly back to Barbados to attend his uncle's funeral and Jason Mohammed will be the stand-in captain for the side in the match.

29 September 2017
Beazley sees earnings hit of about $150 mln from hurricanes, Mexico earthquakes
Insurers are hoping that 2017's catastrophes will reverse a trend of lowering insurance pricing for natural disasters. Beazley's warning follows a host of similar announcements from insurers and reinsurers.

29 September 2017
Trump claims Jerry Jones will get players to stop kneeling
When asked if he had any response to Trump's comments, he said "I want our actions to be louder than words". Among his other tweets Tuesday: "The NFL has all sorts of rules and regulations".

29 September 2017
Geely completes majority stake purchase of Lotus
Hethel-based manufacturer Lotus announced the completion of the transaction in a statement on its website on Friday. Lotus' new board of directors will consist of five members, three appointed by Geely, with two from Etika.

29 September 2017
Mars Base Camp: Lockheed Martin's Red Planet Plan in Pictures
After the completion of the mission, which could last up to two weeks, the lander would ferry the astronauts back to the orbiter. It is from the Deepspace Gateway that the Mars Base Camp would be constructed and launched into Martian orbit.

29 September 2017
Analyst Opinions on Fifth Third Bancorp (NASDAQ:FITB)
Finally, BidaskClub cut Fifth Third Bancorp from a "buy" rating to a "hold" rating in a research note on Saturday, August 12th. Short traders are feeling a little more bearish on shares of the company of late if you look at the rise in short interest.

29 September 2017
Gary Lineker in row with Ukip over party's new logo
If they (the Premier League) feel they have a right to take legal action I'm sure they'll consult with their lawyers. A lion is typically associated with feelings like bravery, strength and - through its link to royalty - tradition.

29 September 2017
Sisters Food Group Responds To Food Safety Allegations
Aldi , Lidl , Sainsbury's and Marks & Spencer all issued statements announcing the launch of independent investigations. One worker told investigators: "I have (changed the slaughter dates) lots of times when I was working in that area".

29 September 2017
Bali volcano ready to erupt, volcanologist says
Evacuation started last week after officials issued the highest level alert, meaning an eruption was imminent. About 100,000 people have been already evacuated from their homes around the mountain.

29 September 2017
United Technologies Corporation Stocks Unloaded By CHICAGO TRUST Co NA
The conglomerate reported $1.85 earnings per share (EPS) for the quarter, topping the Zacks' consensus estimate of $1.78 by $0.07. The Company operates through four segments: Otis; UTC Climate, Controls & Security; Pratt & Whitney, and UTC Aerospace Systems.