Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ANY way to Check OSX Before buying?

Intell said:
There is no new Thunderbolt firmware provided with Mac OS X 10.10.2.
Click to expand...

How would you suggest that Apple could protect against the Thunderbolt vulnerability without firmware updates?

Trammell Hudson mentions a firmware change in his FAQ:

The change log does not mention downgrade prevention, although reports in the media are that this boot ROM version will prevent rolling back to vulnerable versions. All pre-Yosemite machines remain vulnerable to Thunderstrike unless Apple releases firmware updates for them as well.
Click to expand...

Thunderstrike presentation here for those not familiar with the details:
https://www.youtube.com/watch?v=5BrdX7VdOr0

Web page version for those that don't want to watch an almost hour long video:
https://trmm.net/Thunderstrike_31c3
 
If a firmware update was within the package, OS X would instruct the user to not turn off their machine when it is being updated and that the fan at full speed is normal among other things that happen when a Thunderbolt update is applied to a machine. The 10.10.2 update does not do any of those things.
 
alex0002 said:
Thunderstrike is a firmware issue where the Mac is vulnerable at boot time, so if he has Yosemite and gets Security Update 2015-001 doesn't he get the new firmware?

Then he can install Mavericks.
Click to expand...

He'll have to install 10.10.2 first then downgrade.

----------
Intell said:
If a firmware update was within the package, OS X would instruct the user to not turn off their machine when it is being updated and that the fan at full speed is normal among other things that happen when a Thunderbolt update is applied to a machine. The 10.10.2 update does not do any of those things.
Click to expand...

There is.

It's labelled as a CPU update in the list of issues fixed in 10.10.2.

I also noticed that the SMC was of a newer variant after 10.10.2 was installed.
 
Strange how none of my Thunderbolt machines presented themselves as if a firmware update was being installed. For future reference, CPU update ≠ Thunderbolt firmware ≠ SMC version change.
 
yjchua95 said:
He'll have to install 10.10.2 first then downgrade.
Click to expand...

Yes, that's what I meant. Sorry if I wasn't clear.
I guess there must be a list of SMC versions (before and after) somewhere?

Intell said:
Strange how none of my Thunderbolt machines presented themselves as if a firmware update was being installed. For future reference, CPU update ≠ Thunderbolt firmware ≠ SMC version change.
Click to expand...

It is not the Thunderbolt firmware that is in question, it is the boot ROM (SMC) that is vulnerable during a very small window at boot time, but strange how Apple put this under the category of "CPU Software".


Edit: It appears that Apple might be calling the update "CPU Software", because that is the phrase mentioned in CVE-2014-4498:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4498
 
Last edited:
If the SMC was the thing that is to be updated, which it isn't, then why does the 10.10.2 update only have SMC updates for some of the Thunderbolt equipped Macs and furthermore, why is the SMC update time stamped September 9th 2014. If the included SMC update was the fix for Thunderstrike, it would have been included with 10.10.1 and been for all Thunderbolt equipped Mac. The 10.10.2 update wholly lacks the required Thunderbolt EFI updater and the Thunderbolt firmware bin.
 
Intell said:
If the SMC was the thing that is to be updated, which it isn't
Click to expand...

Based on Trammell Hudson's presentation and FAQ, what do you think should be updated to provide this fix?

Edit: perhaps the fix is delivered in EFI firmware, but whichever, the vulnerability comes long before OS X is running, so it must be fixed in boot ROM firmware.

Intell said:
...then why does the 10.10.2 update only have SMC updates for some of the Thunderbolt equipped Macs and furthermore, why is the SMC update time stamped September 9th 2014. If the included SMC update was the fix for Thunderstrike, it would have been included with 10.10.1 and been for all Thunderbolt equipped Mac. The 10.10.2 update wholly lacks the required Thunderbolt EFI updater and the Thunderbolt firmware bin.
Click to expand...

Good questions, perhaps Apple has been aware of the vulnerability since Sep 2014 or earlier? Perhaps not every Thunderbolt equipped Mac with 10.10.2 got update firmware and some are still vulnerable?

Only Apple knows and there isn't a lot of detail in the Security Update 2015-001 page.
 
Last edited:
The SMC controls and interacts with things like the fans, sensors, lights, and other basic IO devices, Thunderbolt is not a basic IO device. To fix it, it would require a two step process, one to update the firmware and a second update to prevent end users from installing a vulnerable version of the firmware. One of those updates, likely the one that prevents downgrades, would be an EFI update.
 
Intell said:
The SMC controls and interacts with things like the fans, sensors, lights, and other basic IO devices, Thunderbolt is not a basic IO device. To fix it, it would require a two step process, one to update the firmware and a second update to prevent end users from installing a vulnerable version of the firmware. One of those updates, likely the one that prevents downgrades, would be an EFI update.
Click to expand...

Yes, I should not have mentioned SMC and should have stuck with the phase "boot ROM" firmware so as not to confuse with SMC functions. But we are not patching Thunderbolt firmware here, we are preventing Option ROMs loading at boot time.

Apple has a partial fix that they have started shipping in the new Mac Mini's and iMac Retinas, and they plan to release it for older Macs soon as a firmware update. Their fix is to not load Option ROMs during firmware updates, which is effective against the current proof-of-concept
Click to expand...

Anyway, we are getting off topic. The point is that without firmware updates the Mac is vulnerable, but after the firmware is updated, it should be possible to use an older OS X such as Mavericks and the system is still protected.
 
harleymhs said:
Nothing about what version its running, Just OSX Installed..

----------
Click to expand...
Some say you can tell by the picture on the box. If the background on the Mac on the box is a rock face, the installed OS would be Yosemite, if it was an ocean wave it would be Mavericks.

I thought that if you buy an OSX running a NEW version OSX you can NEVER install an older version only go forward.. I do have a copy of Mavericks installer on a USB drive but I know for a fact the NEWER machines won't install on it the logic board won't take an older version. Is this correct?

----------
Click to expand...
Not ENTIRELY true. If you buy a Mac Mini 2012 refurbished right now it will ship with either Mavericks or Yosemite but because that model originally shipped with Lion (or was it ML?), you could theoretically install that version on it if you have install media for it.

So if thats the case the New air would be able to take Mavericks from a USB installer?

----------
Click to expand...
No, Mavericks would not include the kexts to support the hardware in a model that was never available when the OS was fully supported. This is the reason that the oldest OS you can run on a Mac is the OS that originally shipped on it, you need the Mac version of drivers to support the hardware.

I have a CCC of my system running Mavericks.. I used Migration ass and it all on Yosemite … IS THERE any way to get Mavericks on a Machine that came with Yosemite? Thats the BIG question here! Thanks Guys!
Click to expand...

Only if the model was released before Yosemite was and therefore shipped with Mavericks but newly-shipped machines of the same model have Yosemite (as is the case with the mid-2014 rMBP).
 
hallux said:
Some say you can tell by the picture on the box. If the background on the Mac on the box is a rock face, the installed OS would be Yosemite, if it was an ocean wave it would be Mavericks.


Not ENTIRELY true. If you buy a Mac Mini 2012 refurbished right now it will ship with either Mavericks or Yosemite but because that model originally shipped with Lion (or was it ML?), you could theoretically install that version on it if you have install media for it.


No, Mavericks would not include the kexts to support the hardware in a model that was never available when the OS was fully supported. This is the reason that the oldest OS you can run on a Mac is the OS that originally shipped on it, you need the Mac version of drivers to support the hardware.



Only if the model was released before Yosemite was and therefore shipped with Mavericks but newly-shipped machines of the same model have Yosemite (as is the case with the mid-2014 rMBP).
Click to expand...

So you guys are saying that being the Mid 2014 MBPr originally came with Mavericks at one point it is possible to downgrade to Mavericks if I have the Mavericks installer on a USB Drive ( which I do have )
 
harleymhs said:
So you guys are saying that being the Mid 2014 MBPr originally came with Mavericks at one point it is possible to downgrade to Mavericks if I have the Mavericks installer on a USB Drive ( which I do have )
Click to expand...

Correct.
 
Back to the OP's original question. What OS version was shown on the open laptop image on the box?

My mid-2012 machine bought in April came in a box showing Mavericks on the open laptop image on the side of the box. The machine originally shipped with 10.7 Lion, so the image may well serve as an indicator. But then again I don't know how quickly Apple switches boxes on the production line after an OS change.

That was the only indicator I could find of OS version.
 
meson said:
Back to the OP's original question. What OS version was shown on the open laptop image on the box?

My mid-2012 machine bought in April came in a box showing Mavericks on the open laptop image on the side of the box. The machine originally shipped with 10.7 Lion, so the image may well serve as an indicator. But then again I don't know how quickly Apple switches boxes on the production line after an OS change.

That was the only indicator I could find of OS version.
Click to expand...

That was old boxes, the new boxes don't have any photos on them at all.. Thanks for your reply!

----------

Got a response from the CCC people, they said this to go back to Mavericks from a machine that is shipped with Yosemite is not possible!

Mike B. (Bombich Software)

Feb 1, 8:56 PM

Hi Harley,

Sorry to take the wind out of your sails, but this just isn't possible -- Apple doesn't allow it:

I will FINALLY try it this AM and report back! Got another rMBP last night ! Lets see if this works!
 
Operation was a Sucess! Installed Mavericks onto the 2014 rMBP no issues at all from the Installer on thumb drive , transfer from a Time Machine back up and ALL is good! Thanks to ALL responded!
 
hallux said:
No, Mavericks would not include the kexts to support the hardware in a model that was never available when the OS was fully supported. This is the reason that the oldest OS you can run on a Mac is the OS that originally shipped on it, you need the Mac version of drivers to support the hardware.
Click to expand...

This is not true.

The late 2011 MBP originally shipped with Lion but could be downgraded to 10.6.8.

The 2014 MBA originally came with Mavericks but later versions of Mountain Lion can be installed.

There are other examples...
 
SlCKB0Y said:
This is not true.

The late 2011 MBP originally shipped with Lion but could be downgraded to 10.6.8.

The 2014 MBA originally came with Mavericks but later versions of Mountain Lion can be installed.

There are other examples...
Click to expand...

U are right, mavericks went on perfect and all the hardware worked perfect.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back