As any nagging cybersecurity expert will tell you, keeping your software up to date is the brushing and flossing of digital security. But even the most meticulous practitioners of digital hygiene generally focus on maintaining the updates of their computer’s operating system and applications, not its firmware. That obscure, reptile-brain code controls everything from a PC’s webcam to its trackpad to how it finds the rest of its software as it boots up. Now one new study has found that the most critical elements of millions of Macs’ firmware aren’t getting updates. And that’s not because lazy users have neglected to install them, but because Apple’s firmware updates frequently fail without any notice to the user, or simply because Apple silently stopped offering those computers firmware updates—in some cases even against known hacking techniques.
At today’s Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple’s so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC’s operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple’s neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails.
For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven’t kept pace with their operating system system updates. And for many models, Apple hasn’t released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim’s machine.
“There’s this mantra about keeping your system up to date: Patch,…