Not All Macs Get Firmware Security Fixes, Researchers Find

An investigation by researchers from Duo Security revealed that Apple does not consistently release security patches for known vulnerabilities in the low-level firmware code of its Mac computers. When it does, the patches can fail on some models.

That said, the company is one of the very few computer manufacturers that fixes security issues in the EFI (Extensible Firmware Interface) of its systems, and does so automatically without manual intervention from users. This already puts it ahead of most PC manufacturers, even though there are things the company could improve in its firmware update process going forward.

Duo Security researchers Rich Smith and Pepijn Bruienne analyzed all the updates for OS X Yosemite (10.10), OS X El Capitan (10.11) and macOS Sierra (10.12) that also contained patches for flaws in the underlying firmware. Apple has been bundling EFI patches with OS updates, instead of delivering them as separate packages, since late 2015.

But while EFI vulnerabilities are listed as fixed in the security advisories accompanying OS updates, the EFI patches themselves are only installed on certain models, the Duo researchers found. Their research paper, released Sept. 29, revealed that 16 models of Macs did not get a single EFI patch over the lifetime of OS X/macOS 10.10, 10.11 and 10.12, even though their firmware was vulnerable to some of the same flaws that were patched in other models.

Thunderstrike, an attack revealed in late 2014 that allows injecting malicious code into the firmware of Mac computers by connecting a malicious Thunderbolt-to-Ethernet adapter to them, was not fixed for 47 Mac models, the research showed, and another 31 models did not get a patch for Thunderstrike 2, an improved version of the attack presented a year later that no longer required a physical Thunderbolt device to inject code into the EFI.

After building a full list of models that did get EFI patches together with OS updates, the Duo researchers scanned more than 73,000 Macs running in production, on the networks of companies from various industries. This effort revealed that over 4 percent of Macs were not running the firmware versions they should have been running based on their OS version. This means that Apple made firmware patches available to those computers but, for some unknown reason the patches failed to be applied during the OS update.

While the EFI-to-OS version deviation was around 4 percent on average, the discrepancy was much higher for certain models—between 12 percent and 35 percent for some MacBook Pro variants and 43 percent for one particular iMac model.

“Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware,” the Duo researchers said in a blog post. “This means that users and admins are often blind to the fact that their system’s EFI may continue to be vulnerable.”

Systems administrators from companies with Mac fleets should take into account that even though Apple continues to release security patches for older OS versions, those updates often don’t include the latest firmware patches. The only way to ensure that systems get the latest EFI patches is to upgrade them to the latest major version of macOS.

Even then, some models might not have all the EFI fixes available from Apple, since it seems the company does not release EFI updates consistently for all Macs. Some models don’t get any EFI fixes at all, while others might get them months after the vulnerabilities have become publicly known and have been patched in other models.

Finally, even when an EFI patch is available for a particular Mac model, its installation might fail with no obvious warning to the user, resulting in systems that have the latest version of the OS but older and vulnerable firmware.

Despite these shortcomings, the Duo researchers agreed that Apple does a better job at firmware security than most PC vendors. That’s because the company is in a unique position where it controls the full stack—hardware, firmware and software (the OS)—of its devices. Due to the EFI fragmentation in the PC ecosystem, there is no guarantee that all affected motherboards will receive a firmware patch for known flaw. PC users often have to go hunting for EFI updates on PC hardware manufacturers’ websites, download the update packages and apply them manually.

“We appreciate Duo’s work on this industrywide issue and noting Apple’s leading approach to this challenge,” an Apple spokesperson said. “Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.”

MacOS High Sierra includes a tool called eficheck that runs weekly and checks the computer’s firmware for unauthorized code. If it detects a compromise, it prompts the user to send a report back to the company.

Injecting malicious code into the EFI is probably the most powerful type of malware attack against a computer. Because it runs at a lower layer, EFI malware can evade most security tools and gives attackers complete control over the operating system or even virtualization hypervisors. Such code is stealthy, highly persistent and very hard to remove with OS-level tools—cleaning EFI infections typically require reflashing the chip with specialized equipment.

Administrators should consider “‘end of life’-ing Macs that cannot have updated EFI firmware applied, or moving them into roles where they are not exposed to EFI attacks (physically secure, controlled network access),” the Duo researchers said. “While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it’s quite possible that EFI attacks fall within your threat model.”

EFI attacks require considerable knowledge and resources to develop and are almost certainly targeted in nature to limit their discovery. On top of that, to inject malware into the EFI, attackers must already have remote privileged access to a system or the ability to access that machine physically.

So, if you’re an executive officer for a large company or a government employee traveling to a foreign country with sensitive documents on your MacBook, it’s probably best to keep your computer with you at all times and not plug in adapters or USB sticks received from other people into it.

Netgear Fixes Security Flaws in ReadyNAS Boxes and Other Devices

Over the past week, networking equipment manufacturer Netgear has fixed vulnerabilities in many devices, from ReadyNAS systems and routers to wireless access points and managed switches. Some of the affected devices are used by businesses.

The company has published some 50 advisories on its security website last week covering flaws such as denial-of-service, cross-site scripting, privilege escalation and remote code execution. Some of the vulnerabilities are rated high in terms of severity.

For example, the company has fixed security misconfigurations, cross-site scripting and command injection flaws in a large number of models from its ReadyNAS line of network-attached storage solutions. One command injection flaw is located in the ReadyNAS Surveillance Application, an add-on that allows device owners to control and record video from multiple surveillance cameras.

Two command injection flaws were fixed in wireless access points while a number of routers, including high-end ones, received fixes for remote code execution vulnerabilities, command injection bugs, security misconfigurations, admin credential disclosures, stack overflows and arbitrary read issues. Fully managed switches received patches for XSS (both stored and reflected), denial-of-service, privilege escalation and other security flaws.

Embedded networking devices have been an attractive target for hackers over the past few years. There have been widespread attacks exploiting known vulnerabilities in order to hijack routers’ DNS settings and attacks that deployed malware for launching distributed denial-of-service attacks or to mine cryptocurrency. Compromised embedded devices can also give attackers a foothold into networks from where they can launch further attacks against internal systems.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin