Apple computers are at risk from flawed updates, researchers find
Your Mac should be getting these patches automatically. But it may not be, and that could spell trouble.
- 2022 Eddie Award for a single article in consumer technology
Users of MacBooks running MacOS 10.13 High Sierra will receive weekly alerts monitoring their firmware.
Maybe it isn't sexy, but it stops hackers from using well-known bugs to break into your computer. In fact, it's the most important thing you can do to keep your computer safe.
Say it with me: Update your software.
But there isn't much you can you do if the update doesn't work the way it should. That's what's happening with some automatic updates to Apple computers. According to research published by Duo Security on Friday, Apple updates can sometimes leave out very important patches to computer firmware, the updatable code that runs on computer processors and other chips.
Out of more than 73,000 Macs reviewed by the researchers, 4.2 percent didn't have the version of firmware they should've had. Some models of Apple computers, many of them older, were especially behind the curve, with 16 of them showing no firmware updates and 18 of them appearing only to have been updated before leaving the factory.
In the computers with firmware that was older than expected, "The update failed for some reason, and that failure was never noticed," said Rich Smith, director of research and development at Duo Labs.
The missing updates highlight an area of computer security Smith said doesn't get as much attention as it should. It's especially dangerous for firmware to be left vulnerable to hackers because it runs very powerful code. A hacker could use the code to gain complete control over a computer and potentially access any network that the computer can.
Apple said it appreciated Duo's research. In an emailed statement, the Mac maker added that it "continues to work diligently in the area of firmware security, and we're always exploring ways to make our systems even more secure."
On Monday, Apple announced that its newest operating system, MacOS 10.13 or High Sierra, will check a computer's firmware weekly. According to Apple Insider, if an update failed and the firmware isn't up-to-date, users will be asked to send Apple a report (affected computers will still be usable).
What's firmware?
Firmware is a category of software that sits "in the dark end of the system that people are less familiar with," Smith said.
Your laptop, or any computerized hardware, has a silicon chip inside that runs everything. Most importantly, it starts up your computer when you press the power button, but it has more features than that. Sometimes features of that chip are permanent, but some can be updated after you purchase your device.
Updating your software is one of the best ways to keep your computer safe from hackers. But Mac firmware updates sometimes fail without alerting users, leaving computers vulnerable.
"Firmware is halfway between hardware and software," Smith said. "It's a silicon chip that can receive aftermarket updates to it."
In the past few years, Apple has made it much easier to update firmware by allowing the new code to download automatically while the operating system updates. That's progress, Smith said, but his research team suspected the process might still have some hiccups.
Apple may not be alone
Smith said Windows computers likely have similar (or worse) problems, but he doesn't yet have data to support that suspicion.
His team focused on Apple for "lazy reasons," Smith said. Each firmware update is tied to a specific version of the operating system on Apple computers, so it's easy to see exactly what firmware you'd expect a given machine to have. What's more, Apple controls everything about its computers, from the manufacture and sale to the updates down the road.
The process of building, selling and updating Windows machines is "far more fragmented and complex," and it's harder to know what version of firmware a given computer should be running.
Microsoft declined to comment for this report.
Duo Security is releasing open-source tools on Friday it hopes will help users check whether their computers are running the right version of firmware. The tools still need refining before they can help regular people check their firmware, Smith said, so it's not clear when you'll be able to use them.
Apple will continue to offer software updates for its previous two operating systems, which would ostensibly include firmware updates, but it won't validate the firmware on a weekly basis. So for now, the only way to make sure you're running the most current firmware is to update to High Sierra.
Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.
Logging Out: Welcome to the crossroads of online life and the afterlife.