Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

by

A new research paper from Duo Security, shared by Ars Technica, reveals that a significant number of Macs are running out-of-date EFI versions, leaving them susceptible to critical pre-boot firmware exploits.

macos high sierra trio
The security firm analyzed 73,324 Macs used in production environments and found that, on average, 4.2 percent of the systems were running the incorrect EFI version relative to the model and version of macOS or OS X installed.

The percentage of incorrect EFI versions varies greatly depending on the model. The late 2015 21.5" iMac had the highest occurrence of incorrect EFI firmware, with 43 percent of systems running incorrect versions.

EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS. EFI operates at a lower level than both the operating system and hypervisors, providing attackers with a greater level of control.

Successful attack of a system's UEFI implementation provides an attacker with powerful capabilities in terms of stealth, persistence, and direct access to hardware, all in an OS and VMM independent manner.

Duo Security found that 47 models capable of running OS X Yosemite, OS X El Capitan, or macOS Sierra, for example, did not have an EFI security patch for the Thunderstrike exploit publicly disclosed nearly three years ago.

The research paper noted that there seems to be something interfering with the way bundled EFI updates are installed alongside macOS, while some Macs never received EFI updates whatsoever, but it doesn't know exactly why.

There seems to be something interfering with the way bundled EFI firmware updates are getting installed, leading to systems running old EFI versions. We are not able to give an exact reason why, but there are significant discrepancies between the firmware version that is actually running on real world production systems and the version that is expected to be running, given the OS build. This means that even if your Mac is still receiving security patch support, there is a non-trivial chance that your system is not running the latest version, even though you thought it was installed.

While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

In response to the research paper, Apple said it appreciates the research on the industry-wide issue and noted that macOS High Sierra automatically validates a Mac's EFI on a weekly basis to ensure it hasn't been tampered with.

We appreciate Duo's work on this industry-wide issue and noting Apple’s leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.

In a related blog post, Duo Security said users should check if they are running the latest version of EFI on their Macs, and it has released a tool to help do so. It also recommends updating to the latest version of macOS High Sierra.

Tags: Apple Security, EFI, Security

Popular Stories

AirPods Pro 3 Mock Feature

AirPods Pro 3 Just Months Away – Here's What We Know

Friday April 18, 2025 5:16 am PDT by
Despite being more than two years old, Apple's AirPods Pro 2 still dominate the premium wireless‑earbud space, thanks to a potent mix of top‑tier audio, class‑leading noise cancellation, and Apple's habit of delivering major new features through software updates. With AirPods Pro 3 widely expected to arrive in 2025, prospective buyers now face a familiar dilemma: snap up the proven...
Read Full Article96 comments
iphone 16 pro models 1

17 Reasons to Wait for the iPhone 17

Thursday April 17, 2025 4:12 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we often get rumored features months ahead of launch. The iPhone 17 series is no different, and we already have a good idea of what to expect from Apple's 2025 smartphone lineup. If you skipped the iPhone...
Read Full Article104 comments
Beyond iPhone 13 Better Triad

Apple's 20th Anniversary iPhone May Finally Go All Screen

Tuesday April 15, 2025 6:31 am PDT by
Apple is preparing a "bold" new iPhone Pro model for the iPhone's 20th anniversary in 2027, according to Bloomberg's Mark Gurman. As part of what's being described as a "major shake-up," Apple is said to be developing a design that makes more extensive use of glass – and this could point directly to the display itself. Here's the case for Apple releasing a truly all-screen iPhone with no...
Read Full Article88 comments
maxresdefault

iPhone 17 Pro Launching Later This Year With These 12 New Features

Sunday April 13, 2025 7:52 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. Subscribe to the MacRumors YouTube channel for more videos. Below, we recap key changes rumored for the iPhone 17 Pro models as of April 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and ...
Read Full Article143 comments
CarPlay Hero

Apple Releases Wireless CarPlay Fix

Wednesday April 16, 2025 11:28 am PDT by
If you have been experiencing issues with wireless CarPlay in your vehicle lately, it was likely due to a software bug that has now been fixed. Apple released iOS 18.4.1 today, and the update's release notes say it "addresses a rare issue that prevents wireless CarPlay connection in certain vehicles." If wireless CarPlay was acting up for you, updating your iPhone to iOS 18.4.1 should...
Read Full Article86 comments
top stories 2025 04 19

Top Stories: iPhone 17 Pro Rumors, CarPlay Bug Fix, and More

Saturday April 19, 2025 6:00 am PDT by
This week saw rumor updates on the iPhone 17 Pro and next-generation Vision Pro, while a minor iOS 18.4.1 update delivered not just security fixes but also a fix for some CarPlay issues. We also looked ahead at what else is in Apple's pipeline for the rest of 2025 and even the 20th-anniversary iPhone coming in 2027, so read on below for all the details on these stories and more! iPhone 17 ...
Read Full Article36 comments
iOS 18

iOS 18.5 Includes Only a Few Changes So Far

Monday April 21, 2025 11:00 am PDT by
Apple seeded the third beta of iOS 18.5 to developers today, and so far the software update includes only a few minor changes. The changes are in the Mail and Settings apps. In the Mail app, you can now easily turn off contact photos directly within the app, by tapping on the circle with three dots in the top-right corner. In the Settings app, AppleCare+ coverage information is more...
Read Full Article87 comments

Top Rated Comments

rpmurray Avatar
rpmurray
99 months ago
In response to the research paper, Apple said it appreciates the research on the industry-wide issue and noted that ONLY macOS High Sierra automatically validates a Mac's EFI ('https://www.macrumors.com/2017/09/25/macos-high-sierra-weekly-efi-security-check/') on a weekly basis to ensure it hasn't been tampered with. Anyone running Macs with an earlier OS (like Sierra or the ancient El Capitan) or a Mac that can't be updated to run High Sierra are SOL.
Score: 10 Votes (Like | Disagree)
840quadra Avatar
840quadra
99 months ago
4.2% huh, I imagine most of those are in fact Hackintoshes, which are modified EFI to begin with.... I wonder what percent it would be if those were excluded?
I am not sure how many Hackintoshes are in production environments though. It appears that they did this study directly, not using web metrics.

I am sure there are some hackintosh computers being used commercially, though I would expect they would be excluded from such a study. Nevermind completely illegal, exposing those companies to potentially serious lawsuits.
Score: 8 Votes (Like | Disagree)
chrfr Avatar
chrfr
99 months ago
4.2% huh, I imagine most of those are in fact Hackintoshes, which are modified EFI to begin with.... I wonder what percent it would be if those were excluded?
If you read through the paper, you'll see that these are not Hackintoshes. The guys who wrote this paper are well aware of the details.
[doublepost=1506697970][/doublepost]
This is an old research. I just found out that even when you have the most up to date firmware you still doomed. :D
No, this isn't old.
Score: 8 Votes (Like | Disagree)
jayducharme Avatar
jayducharme
99 months ago
Buy a Mac they said...

Macs can’t get viruses they said...
Well, technically they still can't, not in the way PCs do. But they're still a computer susceptible to hacking.

This discovery gives yet another good reason for always updating your Mac to the latest OS (if your hardware supports it, obviously). Sometimes Apple patches problems before we even know they exist.
Score: 8 Votes (Like | Disagree)
triptolemus Avatar
triptolemus
99 months ago
Can someone explain to me why it's a good idea to download a tool that interacts with the EFI firmware from a third party off of something called Github?
Score: 8 Votes (Like | Disagree)
sos47 Avatar
sos47
99 months ago
it hurts me. update to High Sierra not possible. iMac 2011
Score: 6 Votes (Like | Disagree)
Read All Comments