High Sierra and EFI Verification arstechnica.com

Dan Goodin, Ars Technica:

An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. Forty-seven Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version.

EFI vulnerabilities are rarely a problem for typical users; they’re more likely to be used for high-value breaches. Still, any security vulnerability is concerning, and the same Mac models are used by high-value targets and college students alike, so it’s important that these holes get patched.

Apple’s statement:

We appreciate Duo’s work on this industry-wide issue and noting Apple’s leading approach to this challenge. Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.

More information on the firmware validation built into High Sierra from the Eclectic Light Co:

The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac’s firmware against Apple’s database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple, with the following dialog.

If you are running a real Mac, rather than a ‘Hackintosh’, Kovah asks that you agree to send the report. This will allow eficheck to send the binary data from the EFI firmware, preserving your privacy by excluding data which is stored in NVRAM. Apple will then be able to analyse the data to determine whether it has been altered by malware or anything else.

But, per Goodin, this won’t necessarily prevent the kinds of problems described in Duo’s report:

The new macOS version introduces a feature called eficheck, but Duo Security researchers said they have found no evidence it warns users when they’re running out-of-date EFI versions, as long as they’re official ones from Apple. Instead, eficheck appears only to check if EFI firmware was issued by someone other than Apple.

Moreover, eficheck depends on the user running High Sierra, though it appears that it made an appearance in Sierra 10.12.4. As Rich Smith and Pepijn Bruienne of Duo point out, older versions of MacOS are receiving security updates, but not necessarily firmware updates:

  • The security support provided for EFI firmware depends on the hardware model of Mac. Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI.

  • The security support provided for EFI firmware also depends on the version of the OS a system is running. A Mac model running OS X 10.11 can receive distinctly different updates to its EFI than the same Mac model running macOS 10.12. This creates the confusing situation where a system is fully patched and up to date with respect to its software, but is not fully patched with respect to its EFI firmware — we called this software secure but firmware vulnerable.

Again, it’s unlikely that you are at risk here. You’re probably not interesting enough to the kinds of entities that exploit firmware vulnerabilities. I hope that this research motivates Apple to ensure patches are rolled out more consistently across the board, and it would be awesome if eficheck could validate firmware more thoroughly in a future version of MacOS.