Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Apple

Critical EFI Code in Millions of Macs Isn't Getting Apple's Updates (wired.com) 91

Andy Greenberg, writing for Wired:At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.
This discussion has been archived. No new comments can be posted.

Critical EFI Code in Millions of Macs Isn't Getting Apple's Updates

Comments Filter:
  • by Anonymous Coward on Friday September 29, 2017 @01:12PM (#55278561)

    Just give us control over our own damn equipment! Let us form our own communities that will service these machines as necessary.

    Why is everything shrouded in a goddamn fucking mystery? WHY?!

    • by Anonymous Coward
      So Apple can continue to use the words "Magical" and "Revolutionary" at their press conferences.
      • No, that was the Steve Jobs' era.

        Under Tim Cook, it's "courage" and "wait until you see what we have in the future".

        Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

        • by dgatwood ( 11270 )

          Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

          No, the last actual Mac Mini was Macmini6,2 (2012). The 2-core 2014 "Mini" was Apple Hardware Engineering's idea of a great practical joke.

          (Thanks, Intel, for using a different pinout for your four-core Haswell chips, making it financially infeasible for Apple to build both a low-end Mini and a decent Mini with the same logic board design. I blame yo

        • That is when the illusion of Apple being a superior company makes "poof", Apple is no longer innovative, they are no longer a computer company, they do well with consumer electronics. Apple does claim they make inroads into enterprises, but that is mainly forced because any company that wants to create an iOS app has to have at least one Mac to compile the code on. With such brute force tactics it is easy to bully into a lot of businesses. As far as product quality goes, Apple is as good or bad as any self-
    • by e r ( 2847683 )
      Because fools continue to buy and support proprietary hardware and software.
    • Why is everything shrouded in a goddamn fucking mystery? WHY?!

      To make it harder for ordinary citizens to identify, work around, or replace the spyware/controlware built into the core of their machines.

      At least Intel and AMD admit it's there.

      (Of course that's because they sell some access to it as a feature, to corporate IT departments, who use it for remote administration and monitoring of their companies' computing infrastructure and individual users.)

    • Apple's users need to declare their independence from dependence on Apple and switch to free software OSes running on hardware they own. The same is true for independence from any proprietor.

      You will never get the control over your own damn equipment you seek so long as you do business with proprietors (Apple, Google, Microsoft, etc.). Like I've said so many times before on /., the themes of the articles here are the same and so are the fixes you can implement today: software freedom is a good unto itself b

    • by AHuxley ( 892839 )
      AC if people have control then the security services have to work harder.
      "New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs" (3/24/2017)
      https://arstechnica.com/inform... [arstechnica.com]
      DarkSeaSkies, DarkMatter (EFI injection), SeaPea (kernel access), NightSkies (key logging).
      Think of all the computers that got the security services package that might still exist.
      Going back and having users globally create reports and publish their strange and unexpected results.
      Best just to have later ha
  • Apple's solution is probably "buy a new Mac". Tim Cook said himself that Apple products are not for the rich [businessinsider.com] so buying another $1000+ computer every year or two shouldn't be a problem for anyone. Next up: Tim Cook doesn't understand the meaning of "rich" compared to the rest of the population.
    • by Mordaximus ( 566304 ) on Friday September 29, 2017 @01:44PM (#55278885)

      Apple's solution is probably "buy a new Mac". Tim Cook said himself that Apple products are not for the rich [businessinsider.com] so buying another $1000+ computer every year or two shouldn't be a problem for anyone.

      Next up: Tim Cook doesn't understand the meaning of "rich" compared to the rest of the population.

      Except that the people who upgrade their Macs every year or two are few and far between. Apple knows this well. That said, TFA even mentions the EFI update failed on certain percentages of NEWER systems, like the 2-16 MacBook. To wit: " And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates."

      This doesn't sound nefarious to me, it sounds more like there's a hiccup in the update process, which thankfully doesn't render the system a brick when it fails. Naturally something that needs to be addressed though.

      For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

      • For what it's worth, my posts are made from a 2010 Mac mini, which in the past seven years had its RAM upgraded twice (from 2GB to 8GB, then to 16GB) and hard drives upgraded twice too (from 320GB to 750GB, then dropped the optical drive to add an SSD).
      • For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

        I second this!

        My newest Apple Computer is a 2012 nrMacBook Pro with a spinning-rust HD (that hasn't failed yet). It looks and works exactly the same as when I bought it in May, 2013.

        Out of all of my Apple-owning friends, I don't know any that are on the "Upgrade Treadmill" that Slashtards like to constantly allude to. One did just buy a 2017 MBP, but her previous MBP was a 2009 model, and the other recent Upgrader bought himself a 2016 MBP as a retirement gift. That replaced his 2007 MBP.

        I even have a frien

        • by Gr8Apes ( 679165 )

          I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

          A 2010 mini used to do that for me, at a fraction of your power draw. It used to serve as my HTPC as well. Now it's a 2012 quad i7 to handle all that and more.

          • I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

            A 2010 mini used to do that for me, at a fraction of your power draw. It used to serve as my HTPC as well. Now it's a 2012 quad i7 to handle all that and more.

            I would have loved to do that with a mini, and in fact, I spec'ed a 2010 mini to do just that for a friend of mine. Still working quite nicely, too. But The G5 Tower was just languishing, having been replaced by my 2012 nrMBP as my "daily driver", and I didn't want to spend the coin on a mini for a non-essential function.

  • but one thing I see surprisingly frequently on the Surface Pro is EFI firmware updates.

    That can be seen as a good thing and a bad thing. One would hope these are feature updates and not such a long list of critical vulnerabilities but .... Microsoft.

  • Perspective (Score:5, Informative)

    by Known Nutter ( 988758 ) on Friday September 29, 2017 @01:37PM (#55278823)
    From TFA:

    While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

    But don't let that stop a good Apple ass-whoopin'... carry on.

    • But don't let that stop a good Apple ass-whoopin'... carry on.

      You're buying Apple for an integrated hardware/software experience. It's their responsibility for keeping their hardware firmware up to date and secure.

      Microsoft doesn't have that responsibility in the PC realm. The downside is you have to do it yourself. The upside is that's between you and your mobo vendor, and you can do it without Microsoft's involvement.

      Apple needs to keep its end of the bargain if it wants to tout the additional value of

    • From TFA:

      While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

      But don't let that stop a good Apple ass-whoopin'... carry on.

      Also from TFA:

      Our research focused on the Apple Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack from hardware, through firmware, OS, and all the way up to application software and can be considered widely deployed.

      This ensured that they were looking at a configuration that has one of the greatest levels of deployment. Identifying insecurities that occur in a 0.0001% of configurations isn't really productive.

    • From TFA:

      While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

      But don't let that stop a good Apple ass-whoopin'... carry on.

      There's a fundamental difference there. Very few windows machines are eco-system controlled. i.e. There's a metric shitload of firmware updates out there for motherboards but in general they just don't get applied, because it's not a process that is automatically handled by a single vendor through a single update system.

      e.g. I put a new graphics card in my 6 year old computer recently and it failed to POST. Just before crying foul I decided to try a BIOS update. It seems that I was running release 5 of my E

  • by Anonymous Coward

    I guess you would say this is another example of Apple simply dropping support in a way most users won't notice. I would say many PC makers also stop doing bios updates as well after a few years. Not excusing either of this but it does appear to be something not exclusive to just Mac's.

    • by Gr8Apes ( 679165 )
      You do realize that you can download and upgrade the EFI firmware yourself, right? It's just the automated install doesn't notify you. I don't disagree that's a bug, but is it a "problem"?
  • Locked hardware, leak of support, 1 year only hardware warranty, higher prices. Thatâ(TM)s Apple.
  • by craigminah ( 1885846 ) on Friday September 29, 2017 @02:20PM (#55279197)
    Has this negatively impacted users or present a vector for hackers that has been exploited?
  • Thank you for being a friend
    Traveled down the road and back again
    Your heart is true, you're a pal and a cosmonaut.

    And if you threw a party
    Invited everyone you knew
    You would see the biggest gift would be from me
    And the card attached would say, thank you for being a friend.

  • It's time to upgrade again and throw out your glued in batteries and ssds for a new system

  • I still use a haswel i7 at home and needed to replace a damaged board. All the popular MSI, Gigabyte, and Asus boards with 97 stopped being updated with new EFI.

    I googled for Windows 10 compability and use the latest 2015 UEFI flashes.

    Do Macs need them updated or tied to specific releases of MacOSX?

  • ...if your firmware's up to date? I can find the version of the firmware that's installed. What I can't find is anything documenting what the latest version for my Mac is. Apple's support site is a joke.
  • by JustNiz ( 692889 ) on Friday September 29, 2017 @07:50PM (#55281095)

    The length of time that some system has not been updated does not alone provide a good metric as to how secure it actually is or isn't. Its certainly a mistake to judge the invulnerability of some system just by when it was last updated, which seems to be what the article is doing.

    It was Microsoft who managed to brainwash the world into thinking that weekly/monthly updates are just some normal aspect of all computer systems. prior to then, it was not unusual for updates for professional OS's (SunOS, HPUX, Solaris, VMS etc) to be more like years apart.
    A high frequency of updates is absolutely necessary if you're running a fundamentally crappily-designed OS like Windows, but let's not paint all things with the same brush.

    That said, I do agree that Apple should release updates every time a new exploit (EFI or otherwise) is identified, which the article also clearly mentions just isn't happening.

  • I'm a little unclear why a bootloader would ever even be in a position to become 'critical'. Either it works, in which case the machine works and a real operating system takes over, or it doesn't, in which case the machine displays the ultimate in security and fails to deliver service to anyone, including malicious agents.

    If bootloaders are now written to somehow be remote-hackable, we have done something very wrong.

"Money is the root of all money." -- the moving finger

Working...