Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

[Westside guy]

In a related blog post, Duo Security said users should check if they are running the latest version of EFI on their Macs, and it has released a tool to help do so. It also recommends updating to the latest version of macOS High Sierra.

I've got High Sierra on a work machine... and my experience with it has hardened my resolve to keep my personal MacBook Pro on El Capitan for as long as Apple releases security updates for the OS.

(Of course it's possible my judgement is clouded by the fact that said work machine is a new MacBook Pro with that silly Touch Bar and awful low-travel keyboard. I prefer my own 2015 MacBook Pro in almost every respect.)

 

[ChazSch]

Yup, me too, 2008 MacBook Pro, but then again, it’s friggin’ ancient hardware that I should’ve ditched long ago. ( unbelievable how long Apple products keep trudging along! )

they just keep going and going....yeah I had a swollen battery once...and my hard drive was slowing down...but once I went to SSD IT SCREAMS again. I think the reason my 2008 MBP is no loner supported is because specs say I have an old rotating hard drive. It think they need to make allowances IF you have upgrades...I am sure it can handle it. Its faster in opening adobe products than my late 2015 5k 27" iMac here at work

 

[IJ Reilly]

This article is pretty much useless because it doesn't include the updates that are installed with OS updates, which is the only way the most recent updates are distributed.

Yup. Apparently the writers of this paper knew the current EFI versions for all the Mac models they tested, they just did not share them. I suppose the version can be found somewhere in the System Report, but that was left a mystery too.

I honestly hate this sort of thing. The message is, you might have out of date EFI firmware, it might vulnerable to hacking, but we're not going to tell you how to find out. Then again, we're not giving you any information on how to fix it, either, so don't worry about the first part. Or do worry. Just feel like you might be screwed and totally helpless. You're welcome!

 

[macs4nw]

it hurts me. update to High Sierra not possible. iMac 2011

Doesn't Apple state 'iMac late 2009 or newer' as minimum hardware requirement to run macOS High Sierra?

You may have to update to macOS Sierra first though.

 

[Analog Kid]

Buy a Mac they said...

Macs can’t get viruses they said...

Meanwhile, others said they could. Then a long discussion broke out about how easily, and under what conditions, and how it all comes down to user vigilance in the end.

Listen to all the voices, don’t try to over simplify, and you’ll understand the world more fully.

 

[Codeseven]

Yup, me too, 2008 MacBook Pro, but then again, it’s friggin’ ancient hardware that I should’ve ditched long ago. ( unbelievable how long Apple products keep trudging along! )

....another fun fact about that old MBP is that it was a birthday gift from my wife, she bought it new at an Apple store, cost, $3,000! Think about the tremendous leap in technology that same three grand will get you now.
[doublepost=1506704851][/doublepost]

they just keep going and going....yeah I had a swollen battery once...and my hard drive was slowing down...but once I went to SSD IT SCREAMS again. I think the reason my 2008 MBP is no loner supported is because specs say I have an old rotating hard drive. It think they need to make allowances IF you have upgrades...I am sure it can handle it. Its faster in opening adobe products than my late 2015 5k 27" iMac here at work

I’ve said it before on these Forums but, the incredible bulitt proof longevity of that old laptop pretty much guarantees me being an Apple product buyer.

 

[lowendlinux]

I guess this means when I finally get my computer back on Wednesday I should check and see if there's an EFI update.

 

[bjet767]

"The security firm analyzed 73,324 Macs used in production environments and found that, on average, 4.2 percent of the systems were running the incorrect EFI version relative to the model and version of macOS or OS X installed." From the Article"

This quote says it all, you are being watched without knowing it. This "research" and analysis requires access to these computers, so isn't it amazing they turned a hack and or privacy invasion into a legit article. Sounds a bit like self promotion.

 

[Vanilla35]

So, according to your analysis the majority of computer users ARE capable of knowing what a program does and how things work on computers because the majority of computer users still use Windows.

Really? Is that really your argument? It is just that in my experience Mac users generally know more about computers and what they want to do; that is why they are on a Mac. The clueless buy the cheapest PC they can find because they simply don't know any better. Interesting that we should live in such completely different realities.

It's not supposed to be an argument. But now that we're arguing, I'll explain further; Both windows and mac users have an ignorant crowd that don't know much about computers, regardless of OS. I would argue that the average more advanced mac user may be more knowledgeable than the average advanced windows user. I would also argue though that the average less advanced windows user is more knowledgeable than the average less advanced mac user.

There are people who buy macs because they know what they are doing (small percentage, advanced users), and then there are those who buy macs because they don't know what they're doing with computers (high percentage, less advanced).

The same people who buy extremely cheap windows computers also buy cheap cars, and other things. That's a type of person, not a type of user.

 

[chrfr]

I honestly hate this sort of thing. The message is, you might have out of date EFI firmware, it might vulnerable to hacking, but we're not going to tell you how to find out. Then again, we're not giving you any information on how to fix it, either, so don't worry about the first part. Or do worry. Just feel like you might be screwed and totally helpless. You're welcome!

The major point with papers like these is to get Apple to pay attention and fix it. If your computer is running the newest version of the operating system it can, and you've installed it using an actual installer rather than cloning an image from another disk over to it, you've pretty much done all you can to be sure your firmware is updated.
You can look at your computer's existing version by opening System Information and looking at the Boot ROM version in the Hardware Overview.
[doublepost=1506705271][/doublepost]

This quote says it all, you are being watched without knowing it. This "research" and analysis requires access to these computers, so isn't it amazing they turned a hack and or privacy invasion into a legit article. Sounds a bit like self promotion.

I manage a few hundred Macs at work. I have management tools that let me install updates and which report back to a server. Part of what they report back is the firmware version. This isn't a matter of the information being collected by Apple from unknowing users.

 

[BorderingOn]

How does one end up in this situation when using Apple's own installer / updater packages?

 

[chrfr]

I guess this means when I finally get my computer back on Wednesday I should check and see if there's an EFI update.

The EFI updates aren't available as standalone updates; they're rolled into operating system updates now.

 

[triptolemus]

Yup. Apparently the writers of this paper knew the current EFI versions for all the Mac models they tested, they just did not share them. I suppose the version can be found somewhere in the System Report, but that was left a mystery too.

I honestly hate this sort of thing. The message is, you might have out of date EFI firmware, it might vulnerable to hacking, but we're not going to tell you how to find out. Then again, we're not giving you any information on how to fix it, either, so don't worry about the first part. Or do worry. Just feel like you might be screwed and totally helpless. You're welcome!

Oh, and download our mystery utility from the armpit of the internet, Github.

 

[lowendlinux]

The EFI updates aren't available as standalone updates; they're rolled into operating system updates now.

It's not a Mac

 

[TsMkLg068426]

If it has anything to do with older Macs that no longer get firmware updates it is not on customers end or fault. Unlike Microsoft that keep on sending updates for older OS and hardware Apple products seem to not last more than 3-4 years which I think it is purposely done to force a Apple customer to buy a new hardware.

 

[chrfr]

How does one end up in this situation when using Apple's own installer / updater packages?

One doesn't, but it's common in business environments to get an operating system on a computer by copying a disk image to it from another source. In those cases, the computer will end up with a mismatch if that computer hasn't previously had that particular version of operating system actually installed on it.

It's not a Mac

Then how is that relevant to this topic?

 

[MrGuder]

And we should trust Duo Security to patch our systems?

 

[Analog Kid]

Yup. Apparently the writers of this paper knew the current EFI versions for all the Mac models they tested, they just did not share them. I suppose the version can be found somewhere in the System Report, but that was left a mystery too.

I honestly hate this sort of thing. The message is, you might have out of date EFI firmware, it might vulnerable to hacking, but we're not going to tell you how to find out. Then again, we're not giving you any information on how to fix it, either, so don't worry about the first part. Or do worry. Just feel like you might be screwed and totally helpless. You're welcome!

Well, they did link to a broken tool they promised to patch when they’ve recovered from their hangover, so there’s that...

If ever you were going to test MD5 checksums, this is probably the tool to do it on...

 

[oldwatery]

What do you expect from a company that really only makes phones and watches....or at least would like to only make phones and watches. This is so disappointing. What is so hard about publishing/pushing these upgrades so we can all get them in a timely manner? I guess they don't have the resources or money inside that spaceship thing.

 

[lowendlinux]

One doesn't, but it's common in business environments to get an operating system on a computer by copying a disk image to it from another source. In those cases, the computer will end up with a mismatch if that computer hasn't previously had that particular version of operating system actually installed on it.

Then how is that relevant to this topic?

While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

It's right there in the article

 

[julescilib]

f that. my rmbp still running os mavericks

 

[IJ Reilly]

The major point with papers like these is to get Apple to pay attention and fix it. If your computer is running the newest version of the operating system it can, and you've installed it using an actual installer rather than cloning an image from another disk over to it, you've pretty much done all you can to be sure your firmware is updated.
You can look at your computer's existing version by opening System Information and looking at the Boot ROM version in the Hardware Overview.

I get the part that only Apple can actually fix this. But considering that their own data suggests that less than 5% of Mac users will have this problem, it would've been far more useful if they'd provided a method to set the minds of the other 95% at rest. Instead they took the typical technocratic approach. We're only going to give you enough information to make you worry and not enough to actually help.

 

[ApfelKuchen]

it hurts me. update to High Sierra not possible. iMac 2011

It's completely possible. See the list of compatible Macs here: https://support.apple.com/HT201475

Perhaps you're confusing the conversion to APFS (which isn't yet being done for Macs with Fusion Drives and spinning HDDs) with the overall upgrade to High Sierra?

Until I read this, I didn't know that firmware updates are no longer distributed separately from macOS. So the macOS installer is broken such that bundled firmware updates are not always installed, which is a major problem because firmware updates are no longer automatically distributed, otherwise.

This is a profoundly foolish approach on Apple's part. It's analogous to not distributing security updates except for major OS releases every year.

Firmware updates used to be sent out like any other software update. Why the change? Installing firmware updates should not be limited to major macOS upgrades; the software update mechanism should be fixed to check firmware revisions at all times (like it used to).

If 95.8% of the Macs tested have an up-to-date EFI, I'd consider Apple's current distribution methods to be pretty effective. Hardly perfect, but "profoundly foolish" may be overstating things. I doubt they were getting higher levels of updating prior to moving the EFI updates into the OS distributions.

Further, you keep referring to Apple limiting EFI updates to "major macOS upgrades," when that's not necessarily the case; bundling them into an update (let's say a dot-1 to dot-2) or security patch is also possible. The real difference is that instead of issuing machine-specific updates, they're bundling them into a wider distribution.

"Why the change?" Most likely to improve the percentage of Macs running the latest EFI, just like free OS upgrades improves the number of Macs running an up-to-date OS. The converse of "If it ain't broke, don't fix it" is, "If it is broke, fix it." Do you really think that 95.8% (or more) of Macs had an up-to-date EFI prior to this change? Now, sometimes the fix is broken (that 4.2%), and with the attention given to this issue, I'm sure Apple will fix the fix, too... Considering the existence of the EFI checker in High Sierra, part of that fix is already in motion.

If Apple was unaware of the risks of EFI exploits, they wouldn't have incorporated the EFI-checker into High Sierra. One person might say, "Why didn't they do it sooner," while another might say, "That's being quite proactive." It's purely a matter of how you measure the contents of a glass.

 

[cerote]

I would love to have my 2012 iMac firmware updated (ie videocard, etc) updated. Unlike my old PC which was easy to check and update firmware, I have not seen firmware updates for my Mac. Disappointing!

And how many times did those updates break other things. Games and such always battled for compatibility with video card drivers.

Anyway most times you can run the makers drivers on Mac. I’ve been using nividia’s drivers on my late 2012 for a while.

 

[RadioGaGa1984]

Buy a Mac they said...

Macs can’t get viruses they said...

Has your Mac had a virus? Does you Mac have a virus now? No. I didn’t think so. Thanks for the FUD.