We all know the mantra to constantly upgrade your software to guard against security holes and hackers. What is less known - and apparently not as enforced - is updating the firmware for your computers as well. Unfortunately, that may lead to even bigger holes and vulnerabilities, particularly in older Macs, according to a new report.
Duo Security studied more than 73,000 Macs covering macOS 10.10.0 through macOS 10.12.6 and found that 4.2% of Macs did not have the proper firmware installed. What's worse is that attempts to update the firmware either failed or caused errors that went unnoticed. According to the report, of the older Macs studied, 16 different versions over five models showed no firmware updates at all.
Firmware provides a bigger security risk than software, but isn't as much in the spotlight as it should be, Rich Smith, director of research and development at Duo Labs, told CNET. "Firmware is halfway between hardware and software," he said. "It's a silicon chip that can receive aftermarket updates to it." He added that it is at "the dark end of the system that people are less familiar with."
Apple responded to CNET questions about the report, saying the company "continues to work diligently in the area of firmware security, and we're always exploring ways to make our systems even more secure." In fact, the newest macOS 10.13 (aka High Sierra) will run weekly firmware checks.
What is even scarier for Windows users is that the Windows OS may have even bigger problems, Smith said. Given the numerous different manufacturers and products available for Windows makes updating machines "far more fragmented and complex." Compatibility issues between components make it difficult to determine what firmware the computer should have.
That said, Duo Security's software branch has released a new Mac client app that will check your Mac to make sure that its firmware is up to date. Duos Security's report listed these five Mac models (16 versions) as ones that had not been updated at all:
- iMac: iMac7,1; iMac8,1; iMac9,1; iMac10,1
- MacBook: MacBook5,1; MacBook5,2
- MacbookAir: MacBookAir2,1
- MacBookPro: MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
- MacPro: MacPro3,1; MacPro4,1; MacPro5,1
If you have one, you should start searching for the appropriate updates immediately.
The Duo Security blog post only touched on the basics of the report. If you are a Mac sysadmin, or just like reading security information, you should check out the full in-depth report.
And if you are a Windows users, do check your hardware for outdated firmware, and make sure that all your components' firmware is up to date.