Apple has failed to push out to consumers necessary firmware updates to that patch vulnerabilities discovered in the company’s popular line of Mac computers, according to research published Friday.
The shortcomings in Apple’s security efforts were highlighted by researchers at secure authentication company Duo Security after the company analyzed the essential, built-in software found in every device.
Duo surveyed more than 73,000 Mac used in the real world and found that 4.2 percent of the machines were not running the most up-to-date version of firmware available, leaving them at risk to attack.
For some machines, the rate was much higher. More than two-in-five (43 percent) of the 21.5-inch iMac, released in 2015, were discovered to be running out of date firmware—a troubling number for a machine that isn’t even two years old.
Firmware is software that is embedded in a piece of hardware and used to verify all of the essential, physical parts of a machine—such as the hard drive and processors—are present and functioning. The check is performed during the boot process before the operating system is started.
Because of the vital function of firmware, and because it performs its operation before the rest of the machine—including any antivirus software—boots up, attacks against the built-in software for hardware can be difficult to spot.
In order to prevent against malicious code compromising the firmware, security patches have to be issued. Firmware updates are typically more of a pain for companies to produce and are less commonplace than a standard operating system update.
In order to combat those challenges, Apple has taken to pushing out firmware updates in tandem with operating system updates in order to keep the built-in software as secure as possible—an effort that apparently fell short, in part because users often avoid software updates, which in turn means they are skipping the necessary firmware updates bundled with them.
For Macs that are running on older or out-of-date firmware, it is possible for threat actors to carry out a number of attacks that could take advantage of unpatched vulnerabilities solved by later versions of the firmware.
One of the attacks that specifically makes use of out-of-date firmware is the Thunderstrike attack, which allows a malicious actor to take control of the machine by inserting an ethernet adapter into a Mac’s Thunderbolt port to deliver a malicious payload. It’s worth noting such an attack is a proof of concept and has not been discovered in the wild and would require physical access to a machine to carry out.
Duo informed Apple of the vulnerability in its firmware that makes such an attack possible. The company reportedly acknowledged the issue and said it is working to fix it.
”Apple continues to work diligently in the area of firmware security, and we’re always exploring ways to make our systems even more secure,“ Apple said in a statement. ”In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.”