register free | resend password

Duo Security Discovers Apple Mac Computers Unprotected from Malicious Firmware Vulnerabilities

Users with higher security clearance or access to sensitive information are most at risk to highly targeted attacks against their computer's firmware

ID: 1522617
recent pressrelease next pressrelease

(businesspress24) - ANN ARBOR, MI -- (Marketwired) -- 09/29/17 -- , the leading Trusted Access provider and one of the fastest growing cybersecurity companies in the world, today released an detailing a potential systemic issue that leaves Apple Mac computers susceptible to exceptionally targeted and stealthy attacks. The report shows Mac users who have updated to the latest operating system (OS) or downloaded the most recent security update may not be as secure as they originally thought.

A Duo Labs analysis of over 73,000 real-world Mac systems gathered from users across industries found the Extensible Firmware Interface (EFI) in many popular Mac models was not actually receiving the security updates users thought. This left users susceptible to previously disclosed vulnerabilities such as Thunderstrike 2 and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.

EFI Firmware is present in computers to boot and control the functions of hardware devices and systems. It can be compared to a starter motor in a car and helps a system get from powering on to booting the operating system.

Attacks on EFI firmware are particularly valuable for sophisticated malicious actors, as it gives them a high level of privilege into a user''s system. Moreover, it is incredibly difficult to detect and even more challenging to remediate, as even wiping the hard disk completely wouldn''t remove this kind of compromise.

Due to the sophistication required in executing the attack, users that work with particularly sensitive information or have security clearance are most often targeted with this kind of advanced ''pre-boot'' attack code.

Organizations with fleets of Mac computers should review the models outlined in the whitepaper to see if their model(s) are out-of-date. From here, it may be time to consider replacing your devices to the newer models if such attacks are within your threat model, and be sure to continue installing security updates promptly after release.

"Firmware is an often overlooked yet vital component of a system''s security structure," said Rich Smith, Duo Director of Research and Development. "The sophisticated and targeted nature of firmware attacks should be of particular concern to those who have higher security clearance or access to sensitive information at their respective organizations. The worst possible state for users is to be under the assumption that they are secure after updating their system, when in fact, their actual security posture is very different than what they believe it to be."

In 2015, Apple began bundling their software and firmware updates in an effort to ensure users automatically obtained the most current firmware security. This allowed Duo Labs to analyze the state of Apple''s EFI security by looking at Mac updates released in the last three years to compare the actual state of their EFI security to the expected state. The findings were staggering:

Users running a version of macOS/OS X that is older than the latest major release (High Sierra) likely have EFI firmware that has not received the latest fixes for known EFI issues. This means these systems can be software secure but firmware vulnerable.

On average, 4.2% of real-world Macs used in the production environments analyzed are running an EFI firmware version that''s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.

At least 16 models of Mac computers have never received any EFI firmware updates. The 21.5" iMac, released in late 2015, has the highest occurrence of incorrect EFI firmware with 43% of sampled systems running incorrect versions.

47 models capable of running 10.12, 10.11, 10.10 did not have an EFI firmware patch addressing the vulnerability, Thunderstrike 1, while 31 models capable of the same did not have an EFI firmware patch addressing the remote version of the vulnerability, Thunderstrike 2.

Two recent security updates issued by Apple (Security Update 2017-001 for 10.10 and 10.11) contained the wrong firmware with the update. This would indicate regression or a lag in quality assurance.

"As the pre-boot environment becomes increasingly like a full operating system in and of its own, it must also be treated like a full OS in terms of the security support and attention applied to it," added Pepijn Bruienne, Duo Research and Development Engineer. "We are confident Apple is making significant efforts to increase the security of their EFI environment, and look forward to continuing our research to include the newest OS - High Sierra."

"While our findings are striking, Apple should be commended in its efforts to get ahead of firmware security issues and seen as an example for the rest of the industry of how to approach the issues surrounding firmware security," said Smith. "We hope this report will not only help Apple strengthen security, but also get the attention of all manufacturers on the importance of firmware security and giving users more visibility into the security health of all aspects of their computers."

To help Mac users to determine if their EFI firmware on their Mac computer is indeed up to date, Duo is releasing a free open-source tool called "EFIgy." Additional functionality will be added to also assess whether users'' version of EFI is exposed to a known EFI vulnerability. Please visit: to access the tool.

Duo Security is a cloud-based Trusted Access provider protecting thousands of the world''s largest and fastest-growing companies and organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Twitter, Yelp, Zillow and more. Duo''s innovative and easy-to-use technology can be quickly deployed to protect users, data and applications from breaches, credential theft and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas and London. Duo is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at .

Duo Security''s advanced research arm, Duo Labs, is a team of hackers, researchers and engineers dedicated to protecting the public by identifying and fixing IT vulnerabilities on a broad scale. Duo Labs is an industry-leading source of research on mobile and cloud security, malware analysis, Internet of Things (IoT) and phishing tactics, among other areas. For more information, visit or follow them on Twitter: .

Meredith Corley & Jordan Fylonenko

Duo Security

More information: http:// http:// http:// http://

Keywords (optional):

firmware, mac, efi, cyber-security, apple, thunderstrike, cybersecurity,

Company information / Profile:

PressRelease by


PressContact / Agency:

published by: Marketwired
print pressrelease  send to a friend  

Date: 09/29/2017 - 12:00
Language: English
News-ID 1522617
Character count: 2352
Firma: Duo Security
Ansprechpartner: Feedback to about Pressrelease-id:


Number of hits: 266


Direct Link to this PressRelease:

We would appreciate a link in your News-, Press- or Partner-Site.

Comments on this PressRelease

All members: 9 438
Register today: 0
Register yesterday: 0
Members online: 0
Guests online: 60

Don't have an account yet? You can create one. As registered user you have some advantages like theme manager, comments configuration and post comments with your name.