Report: Unpatched firmware vulnerabilities persist


Security researchers released a report showing small numbers of surveyed Mac users continue to use outdated firmware or EFI. The firmware controls boot sequences of computers and vulnerabilities pose an opportunity to bypass software security measures.

Ars Technica:

An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. Forty-seven Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version.

Likely, to compromise a system it would require physical access to a machine, so attacks are unlikely. A victim would most likely need to be targeted by a sophisticated attacker.