Apple update flaws left Mac firmware vulnerable

Apple update flaws left Mac firmware vulnerable
© Getty Images

Mac users who diligently install security updates may be in for a rude surprise, according to research from Duo Labs released Friday.

Duo analyzed nearly 750,000 real-world Mac computers that have installed the most current updates from Apple and found that 4.2 percent of them were not protected from known vulnerabilities in hidden software called firmware.

"Some of them never received a firmware update," Rich Smith, Duo's director of research and development, told The Hill. 

Duo only tested computers with Mac OS 10.10 and higher, which were the the computers still given security updates from Apple at the time of the study (Apple ceased support of 10.10 this month).

ADVERTISEMENT

Firmware is software installed into specialized hardware that is not intended to be altered by users.

The firmware Apple has struggled to patch, the Unified Extensible Firmware Interface, helps a computer identify hardware as a computer loads its operating system.

Apple updates the firmware in the same updates that patch its operating systems. 

But firmware can be a little harder to patch than software. The patches are heavily dependent on hardware configurations. It is harder to identify mistakes and things overlooked in the patching process. 

"We're confident the same kind of problems, only worse, exist in Windows," Smith said.

"We picked Apple because it would have fewer problems and would have been easier to catalog."

Since Apple controls all the hardware configurations that ship in Mac computers, there are fewer configurations to worry about than the disparate hodgepodge of hardware used across brands of Windows computers.   

Firmware security vulnerabilities are a serious risk. Hackers and malware that exploits them are far more difficult to detect than those attacking operating systems. Several critical flaws have been identified in Mac firmware.

In a now-deleted tweet, Mac engineer Xeno Kovah tweeted of the Duo report "They were nice enough to share their report with us beforehand. I agree with their conclusions, that we've got things we can do better."