Apple users have long believed that their products are the most secure in the market. However, from time and again, security researchers bust this myth that nothing is actually hack-proof. Security researchers have warned that marketing a product as more secure than others (iOS vs Android or macOS vs Windows) only puts the end-user at risk because they start to believe their devices are foolproof and don't think twice about their system security. While different researches in this year alone have revealed how Apple products are currently at the most risk since the exploits are being paid for more than others, a latest report looks at Apple's own flaws at delivering critical security updates.
A significant number of Macs remain vulnerable to known security flaws even after receiving and installing latest security updates. The research published earlier today revealed that there is a discrepancy between the frequency and thoroughness of Apple's macOS and app security updates, and updates for the underlying firmware (EFI).
Apple's Mac updates: "Software secure but firmware vulnerable"
In simple words, the researchers found that a number of Macs after having installed latest updates from the Cupertino tech giant remain vulnerable to known security flaws because they were running outdated EFI (latest form of BIOS, a pre-boot environment). Any malware that successfully manages to install itself in this layer attains complete invisibility and could be impossible to fix at all.
The security team at Duo Security analyzed all Mac updates released over the last three years (version 10.10.0 - 10.12.6) to map the OS build and Mac model to the expected version of EFI. Analyzing over 73,000 Macs showed the team that over 4.2% of them ran the EFI versions that were different from what was expected from their hardware model and OS version.
Some of these remained vulnerable to original Thunderstrike attack that was detected and fixed over three years ago! Of all the 21.5 inch iMac that was released in late 2015, at least 43% were running the wrong version. "941 out of 2190 real world systems were running incorrect versions of EFI firmware," the team revealed
"There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running. This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. This means that users and admins are often blind to the fact that their system’s EFI may continue to be vulnerable."
The problem is critical because attacks against BIOS or EFI are the most difficult to fix as they give criminals complete control, offering both stealth and persistence. The problem also goes undetected by further scanning through the operating system's own mechanisms or AV products since they can bypass high level security controls. These attacks can even survive a complete hard drive wipe or clean install, making EFI attacks the most lucrative to attackers.
Apple, in its response to this latest report, said that this is an industry-wide issue. "Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure," the company added.
"In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly." Researchers said that the new macOS High Sierra does introduce a new feature called eficheck but it was simply checking if the EFI version was the official one from Apple and not issued from someone else. It didn't appear to be checking that the official versions were actually up-to-date or not.
As Apple has mentioned the problem is an industry-wide issue as both Windows and Linux are potentially vulnerable to this flaw too. However, the research team wrote that "Apple is in a somewhat unique position of controlling the full stack from hardware, through firmware, OS, and all the way up to application software and can be considered widely deployed." Other ecosystems are "fragmented and complex in terms of vendor responsibility for the security of the various components, making it more difficult to study and derive conclusive results," the researchers added.
Duo Security has released a free tool, EFIgy, to help users check whether their Mac is running an EFI version that carries a known vulnerability. You can also get technical details of the issue in this whitepaper [PDF].