Image copyright Reuters Image caption Machines get help to start or “boot” via their EFI Apple Mac computers are being exposed to security risks because core software is outdated, research suggests.
Duo Security found that 4.2% of the 74,000 Macs it tested ran insecure versions of software that helps get the machines running.
It said the figure was likely to be replicated in the global population of Macs and worse on PCs.
Apple welcomed the research and said it was improving how it updated machines.
In its research, Duo Security looked at the versions of a type of software known as the extensible firmware interface (EFI) on a large population of Apple Mac computers currently in use.
“It’s the first bit of code that runs when you press the power button,” said Rich Smith, Duo’s director of security.
Many Macs Duo tested had never had their EFI updated, he said, and some were using old versions of the code even though they were up to date with operating system and application security patches.
“It’s a silent failure because the user or administrator is never notified,” he said, adding that it was not clear what had stopped some machines updating their EFI correctly.
Attacks via the EFI were rare, said Mr Smith, because attackers typically had faster or more lucrative ways to steal cash from victims.
However, the most “sophisticated” attackers were likely to use them because they gave them deep access to a target system.
“You can do anything from there and circumvent any of the controls that are higher in the system,” he said.
Several researchers had developed EFI attacks that some nation states were known to copy, he said.
In a statement, Apple said it “appreciated” the work Duo did highlighting what it called an “industry-wide” issue.
“Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure,” it said. The newest version of its Mac operating system, called High Sierra, applies weekly checks to ensure machines have an up-to-date EFI.
Mr Smith agreed that every computer maker could do better at handling EFI updates.
“The problems we found with Apple are indicative of an industry-wide problem,” he said. “On the PC we expect the situation to be quite a lot worse.”