Despite Macs being viewed as the more secure of the two leading computer operating systems, Duo Labs has revealed up to 4.2% of Macs could be vulnerable to a boot up bug caused by outdated software.
The security firm analysed 73,000 "real-world" Macs and all updates to the operating system over the last three years to get an idea of extensible firmware interface (EFI) updates - used to pre-boot Macs - released for the core platform.
It discovered the EFI had not been updated in many of the Macs it tested and although some computers had the most recent security patches and operating systems installed, the pre-boot environment had never been updated, leaving it open to exploit.
However, the researchers said it was unlikely the vulnerability had ever been used, as it simply takes too much effort to exploit compared to other techniques for stealing cash and credentials.
"Attacks against EFI have so far been part of the toolkit used by sophisticated adversaries who have specific high value targets in their sights," Rich SmithandPepijn Bruienne said in a blog post. "Such adversaries are often spoken about in the same breath asnation state attacksandindustrial espionage."
However, they did say that businesses using Macs that can't have the EFI updated should be taken out of service, or at least moved to secure roles, for example, that don't require the use of network access.
"While EFI attacks are currently considered bothsophisticatedandtargeted, depending on the nature of the work your organization does and the value of the data you work with, it's quite possible that EFI attacks fall within your threat model," they said.
"In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues and you need to determine if you can accept the risk of having vulnerable (and potentially unpatchable) systems in your environment."
Apple said as a result of Duo Labs' work, it would be re-assessing the way it updates machines, according to the BBC.
It's yet another blow to a name that is typically synonymous with security. Last week, US security researcher and former NSA hacker Patrick Wardle discovered a zero-day exploit affecting the Keychain within macOS High Sierra, allowing hackers to access saved passwords without a master key.
-
Why are many men in tech blind to the gender divide?In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
-
BenQ PD3226G monitor reviewReviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
-
Apple discontinues the iMac ProNews Desktop product shake-up paves the way for new Apple Silicon-powered machines
-
M1 Mac mini users suffering Bluetooth connectivity problemsNews It’s unknown if the issue is in the new Apple silicon or the Big Sur OS
-
Apple starts accepting Mac trade-ins at retail storesNews Up until now, you could only trade in a used Mac online, which was unwieldy and time-consuming
-
Apple launches surprise desktop iMac and iMac Pro upgradesNews New iMac models have up to 9th-gen Core i9 processors and Vega Pro graphics
-
Apple unveils next-generation Mac miniNews Space grey device with five times the performance has been unveiled at special October event
-
Apple fixes its spammy calendar with Report Junk featureNews The new option lets you block spam iCloud calendar invites
-
Apple MacBook Retina 12in review - 'a superb choice, but challenging to fit into how you work'Reviews Apple upgrades specs and adds rose gold model for 2016 MacBook Retina 12in
-
Apple 13-inch MacBook Pro With Retina Display (Early-2015) reviewReviews A Broadwell upgrade provides impressive battery life for Apple’s business laptop.
