EFI is the system firmware that loads before your operating system boots or hypervisor starts. If it’s compromised then your entire computing platform is under threat. Duo Security has conducted an analysis looking at how Apple manages updates to EFI and how those updates relate to fixing vulnerabilities. The results of their work reveal some interesting issues>
Duo’s analysis was quite thorough and involved looking at every EFI update Apple released over the last three years. As Apple controls the full hardware, EFI and OS stack, EFI updates are often bundled with OS updates which makes life easier for users. But, by looking at what EFI updates Apple has released, and then correlating that with a review of over 73,000 Macs running in the real world, they found many systems were not running the latest EFI, even though it’s made available through Apple’s update services.
In addition, they have found that while Apple is reasonably diligent in updating their operating system software, fixes for EFI vulnerabilities lag behind, particularly for older operating systems such as El Capitan and Yosemite. And their work also reveals there are 16 Mac models that have not received any EFI updates.
Duo says if you aren’t able to run macOS 10.12.6 (the most recent release of Sierra) then you are at risk of not having EFI firmware that protects against all known vulnerabilities.
To help you determine if you’re running the latest firmware, Duo is releasing a tool, EFIgy, that tells you. It’s on GitHub but, at the time of writing the tool was not available due to a bug. But it’s worth checking back there for when the tool is re-released.