Thousands of Macs exposed to EFI boot-up bug

Despite Macs being viewed as the more secure of the two leading computer operating systems, Duo Labs has revealed up to 4.2% of Macs could be vulnerable to a boot up bug caused by outdated software.

The security firm analysed 73,000 "real-world" Macs and all updates to the operating system over the last three years to get an idea of extensible firmware interface (EFI) updates - used to pre-boot Macs - released for the core platform.

It discovered the EFI had not been updated in many of the Macs it tested and although some computers had the most recent security patches and operating systems installed, the pre-boot environment had never been updated, leaving it open to exploit.

However, the researchers said it was unlikely the vulnerability had ever been used, as it simply takes too much effort to exploit compared to other techniques for stealing cash and credentials.

"Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high value targets in their sights," Rich SmithandPepijn Bruienne said in a blog post. "Such adversaries are often spoken about in the same breath asnation state attacksandindustrial espionage."

However, they did say that businesses using Macs that can't have the EFI updated should be taken out of service, or at least moved to secure roles, for example, that don't require the use of network access.

"While EFI attacks are currently considered bothsophisticatedandtargeted, depending on the nature of the work your organization does and the value of the data you work with, it's quite possible that EFI attacks fall within your threat model," they said.

"In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues and you need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment."

Apple said as a result of Duo Labs' work, it would be re-assessing the way it updates machines, according to the BBC.

It's yet another blow to a name that is typically synonymous with security. Last week, US security researcher and former NSA hacker Patrick Wardle discovered a zero-day exploit affecting the Keychain within macOS High Sierra, allowing hackers to access saved passwords without a master key.

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.