As any nagging cybersecurity expert will tell you, keeping your software up-to-date is the brushing and flossing of digital security. But even the most meticulous practitioners of digital hygiene generally focus on maintaining the updates of their computer's operating system and applications, not its firmware. That obscure, reptile-brain code controls everything from a PC's webcam to its trackpad to how it finds the rest of its software as it boots up. Now one new study has found that the most critical elements of millions of Macs' firmware aren't getting updates. And that's not because lazy users have neglected to install them, but because Apple's firmware updates frequently fail without any notice to the user, or simply because Apple silently stopped offering those computers firmware updates---in some cases even against known hacking techniques.

At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails.

For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

"There’s this mantra about keeping your system up to date: Patch, patch, patch, and if you do you’ll be running faster than the bear, you’ll be in a good state," says Rich Smith, Duo's director of research and development. "But we're seeing cases where people have done what they’d been told, installed these patches, and there were no user warnings that they were still running the wrong version of EFI ... Your software can be secure while your firmware is insecure, and you're completely blind to that."

The Code Underneath the Code

A modern computer's EFI, like BIOS in older computers, is the embryonic code that tells a computer how to launch its own operating system. That makes it an attractive, if arcane, target for hackers: Gain control of a computer's EFI---as both the NSA and CIA have demonstrated the ability to do in recent years, according to classified documentation leaked to Der Spiegel and WikiLeaks---and an attacker can plant malware that exists outside the operating system; running an antivirus scan won't detect it, and even wiping the computer's entire storage drive won't eradicate it.

So Duo set out to assess just how consistently updated the sensitive code underlying Apple's MacOS really is. (It's important to note the researchers chose Apple simply because its control of both hardware and software made it a far easier set of computers to analyze than Windows or Linux PCs, not because there's any reason to think the company is less careful with its firmware than other computer makers.) Over the last months, it painstakingly analyzed 73,000 Apple machines used by its customers and sampled from other enterprise networks. It then narrowed that collection down to around 54,000 computers new enough to be actively maintained by Apple, and it compared each computer's firmware with the version that computer ought to have given its operating system version.