For years, Mac users have pointed to the vast quantities of malware targeted at PCs as evidence of why Macs are worth their price premium and, it has to be admitted that they have long had a point. While some might point to the fact that Windows PC are used in far greater numbers, up until Windows 10, Apple was arguably far ahead of Microsoft in working on bringing out security updates and making sure that they were actually applied.
In the mobile arena, Apple is famous for the efficiency with which it applies updated versions of iOS to all relevant devices, in stark contrast to Android, where devices can, literally, never be updated in their entire lifecycle. That makes it all the more surprising that Macs have been discovered to have a key vulnerability.
Most people with even a marginal degree of IT awareness have now grasped that it is generally a good idea to apply software updates as soon as they become available, particularly when they relate to security.
What appears to have happened in a small percentage of cases (around 4%) is that Mac users who were running up-to-date versions of their operating system had not updated their extensible firmware interface, basically the small but significant part of their firmware that starts the process of turning them from off to on.
As yet, the reason for this discrepancy is unclear. On the one hand, it could be an issue with how the updates are provided and applied by Apple, but another theory is that the findings are the result of old habits dying hard.
Up until relatively recently, astute users and admins tended to hold off applying updates so that they could see what issues other users reported with them and then decide whether to apply them at all. This was not an unreasonable position at points in the past, but both Apple and Microsoft are now better at releasing operating system updates that actually solve problems rather than creating them.
Obviously, this issue creates a vulnerability that, one way or another, will need to be addressed and Mac owners might want to start doing some investigating on their own to see if they have an outdated EFI (or check with a Mac specialist).
In theory, it leaves users vulnerable to the likes of Thunderstruck and could result in them becoming the victims of fraud. In the real world, however, an EFI-based attack would arguably be a very challenging way of undertaking a cyber attack, which would limit its attractiveness to criminals.
The research that uncovered this problem was only undertaken on Macs so, at the current time, it’s unclear if there is an equivalent issue with PCs. The researchers speculate that their probably could be and that the nature of PC usage means that the percentage of machines with an equivalent problem could be even higher.
If you needed any more reason to make sure your security is up to date, this could be the push you finally need to take action.