Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

[belvdr]

For those interested in the EFI firmware, some standalone updaters are available:

https://support.apple.com/en-ph/HT201518

If you don't see a firmware version listed in this article, it means that either a firmware update is only available as an automatic update, or no firmware update is needed.

 

[mlody]

it hurts me. update to High Sierra not possible. iMac 2011

I have 2010 iMac 27" and it updated to High Sierra just fine.

 

[mmcneil]

it hurts me. update to High Sierra not possible. iMac 2011

Perhaps you can
macOS 10.13.1 beta supports:

• MacBook or iMac: Late 2009 or newer
  • MacBook Air, MacBook Pro, Mac mini, or Mac Pro: 2010 or newer
    

 

[Kavok]

it hurts me. update to High Sierra not possible. iMac 2011

I have a mid-2010 iMac and High Sierra installed fine.

 

[rizzo41999]

Yup, me too, 2008 MacBook Pro, but then again, it’s friggin’ ancient hardware that I should’ve ditched long ago. ( unbelievable how long Apple products keep trudging along! )

Good for you for not falling into the "need to upgrade hype." I genuinely mean that!

 

[Solamar22]

In response to the research paper, Apple said it appreciates the research on the industry-wide issue and noted that ONLY macOS High Sierra automatically validates a Mac's EFI on a weekly basis to ensure it hasn't been tampered with. Anyone running Macs with an earlier OS (like Sierra or the ancient El Capitan) or a Mac that can't be updated to run High Sierra are SOL.

Nuts. I have to stay at El Capitan. I cannot use Sierra because with my model (2013 MacBook Pro 15"), there is a bug in Sierra that always logs debug that fills the disc. I don't know if I can go to High Sierra. (In case anyone cares, native 2013 MBP 15" with native clean install of Sierra (nothing else) logs to /tmp/wifi_YYMMDD at rate of 4Mb/sec. Bug reported to Apple.)

 

[Poisednoise]

How is 4.2% a “significant number?”

Strictly speaking, it isn't, as it's a percentage... but given there are about 100 million active Mac users (https://www.theverge.com/2017/4/4/15176766/apple-microsoft-windows-10-vs-mac-users-figures-stats) that means that there are about 4,200,000 computers with out-of-date firmware.

Obviously it depends on the context, but I think most would agree that 4 million+ is a "significant number", or at the very least "sizeable".

 

[stainless]

Here is the Link to APPLE'S actual updates on firmware: https://support.apple.com/en-us/HT201518
[doublepost=1506710302][/doublepost]

Tool's down for now, we'll have to wait for them to fix a bug then it should be back up.

Here is the link to Apple's actual update firmware: https://support.apple.com/en-us/HT201518https://support.apple.com/en-us/HT201518

 

[Nixie1972]

it hurts me. update to High Sierra not possible. iMac 2011

Yes you can:

 

[Soba]

If 95.8% of the Macs tested have an up-to-date EFI, I'd consider Apple's current distribution methods to be pretty effective. Hardly perfect, but "profoundly foolish" may be overstating things. I doubt they were getting higher levels of updating prior to moving the EFI updates into the OS distributions.
[...]
Now, sometimes the fix is broken (that 4.2%), and with the attention given to this issue, I'm sure Apple will fix the fix, too... Considering the existence of the EFI checker in High Sierra, part of that fix is already in motion.

I don't disagree, but I'm of the opinion that they should have taken a "belt and suspenders" approach from the beginning. Distribution with major upgrades, point releases, and standalone security fixes is a fine approach (and probably superior to the old way, as you pointed out), but there should also have been some kind of independent check to ensure the firmware updates actually occur.

If I understood the report correctly, the firmware updater is run as one of the last steps of the security update installer. There are a lot of situations where such updates are delivered through means other than an Apple installer. System imaging software, drive cloning, etc. Quite a few cracks for the new firmware to slip through, hence my disbelief at the fact there's no follow-up check that runs independent of an update. These situations are not edge cases; it is the norm in a business environment full of managed, centrally deployed systems. It's not possible to plan for every case of how software will be installed, but it is possible for the OS to check after the fact and ensure the update was complete.

Further, you keep referring to Apple limiting EFI updates to "major macOS upgrades," when that's not necessarily the case; bundling them into an update (let's say a dot-1 to dot-2) or security patch is also possible. The real difference is that instead of issuing machine-specific updates, they're bundling them into a wider distribution.

You're correct, as corroborated by the report. Apologies!

The report is somewhat long, so I'll be reading the whole thing as soon as I'm able.

 

[puckhead193]

if software developers got their stuff together and made software compatible/update i'd be more then happy to update but until then... i'm stuck on 10.12.3..

PSSSST i'm talking to you Sony... get your crap together!

 

[JohnR]

it hurts me. update to High Sierra not possible. iMac 2011

2008 iMac here

 

[SnarkyBear]

...Anyone running Macs with an earlier OS (like Sierra or the ancient El Capitan) or a Mac that can't be updated to run High Sierra are SOL....

Ancient El Capitan, which was the main OS all of 13 months ago. These OS's grow so quickly these days....

 

[mr.steevo]

If you can, sell and upgrade to a newer iMac while your old one still has value. Mac's keep their value much better than PC's but once they stop getting the latest OS versions the value starts to decline faster - once security updates aren't coming its through the floor (couple of more years).

My in-law's 2007 iMac got a security update about a month or two ago.

 

[Larry-K]

Sounds "EFI'd up" to me.

 

[justperry]

For those interested in the EFI firmware, some standalone updaters are available:

https://support.apple.com/en-ph/HT201518

Those are not (all) latest updates, my md 2012 MBP 13" is on a later and newer firmware. (MBP91.00D7.B00)

 

[dwaltwhit]

So what's the solution? Auto updates would be met with serious pushback, especially in the professional market. A notification of some kind?

 

[Pike R. Alpha]

Here's the official list from macOS High Sierra with the latest EFI firmware versions:

---------------------------------------------------------------------------
EFIver.py v1.2 Copyright (c) 2017 by Pike R. Alpha
---------------------------------------------------------------------------
Mac-F2268CC8 | iMac10,1 | IM101.88Z.00CF.B00.1708080133
Mac-F2268DAE | iMac11,1 | IM111.88Z.0037.B00.1708080241
Mac-F2238AC8 | iMac11,2 | IM112.88Z.005B.B00.1708080439
Mac-942B5BF58194151B | iMac12,1 | IM121.88Z.004D.B00.1708080012
Mac-00BE6ED71E35EB86 | iMac13,1 | IM131.88Z.010F.B00.1708080805
Mac-031B6874CF7F642A | iMac14,1 | IM141.88Z.0123.B00.1708211404
Mac-27ADBB7B4CEE8E61 | iMac14,2 | IM142.88Z.0123.B00.1708211454
Mac-77EB7D7DAF985301 | iMac14,3 | IM143.88Z.0123.B00.1708211454
Mac-81E3E92DD6088272 | iMac14,4 | IM144.88Z.0183.B00.1708080656
Mac-FA842E06C61E91C5 | iMac15,1 | IM151.88Z.0211.B00.1708080656
Mac-F22C8AC8 | MacBook6,1 | MB61.88Z.00CB.B00.1708080203
Mac-F22C89C8 | MacBook7,1 | MB71.88Z.003D.B00.1708080317
Mac-942452F5819B1C1B | MacBookAir3,1 | MBA31.88Z.0067.B00.1708080355
Mac-C08A6BB70A942AC2 | MacBookAir4,1 | MBA41.88Z.007B.B00.1708072159
Mac-66F35F19FE2A0D05 | MacBookAir5,1 | MBA51.88Z.00F4.B00.1708080803
Mac-35C1E88140C3E6CF | MacBookAir6,1 | MBA61.88Z.0103.B00.1708080653
Mac-C3EC7CD22292981F | MacBookPro10,1 | MBP101.88Z.00F2.B00.1708080809
Mac-AFD8A9D944EA4843 | MacBookPro10,2 | MBP102.88Z.010B.B00.1708080805
Mac-189A3D4F975D5FFC | MacBookPro11,1 | MBP111.88Z.0142.B00.1708080655
Mac-3CBD00234E554E41 | MacBookPro11,2 | MBP112.88Z.0142.B00.1708080655
Mac-F22589C8 | MacBookPro6,1 | MBP61.88Z.005A.B00.1708072217
Mac-F222BEC8 | MacBookPro7,1 | MBP71.88Z.003D.B00.1708080058
Mac-94245B3640C91C81 | MacBookPro8,1 | MBP81.88Z.004D.B00.1708080655
Mac-4B7AC7E43945597E | MacBookPro9,1 | MBP91.88Z.00D7.B00.1708080744
Mac-F2208EC8 | Macmini4,1 | MM41.88Z.0045.B00.1708072325
Mac-8ED6AF5B48C039E1 | Macmini5,1 | MM51.88Z.007B.B00.1708080744
Mac-031AEE4D24BFF0B1 | Macmini6,1 | MM61.88Z.010B.B00.1708080649
Mac-35C5E08120C7EEAF | Macmini7,1 | MM71.88Z.0224.B00.1708080033
Mac-F60DEB81FF30ACF6 | MacPro6,1 | MP61.88Z.0120.B00.1708080652
Mac-A369DDC4E67F1C45 | iMac16,1 | IM161.88Z.0212.B00.1708080033
Mac-FFE5EF870D7BA81A | iMac16,2 | IM162.88Z.0212.B00.1708080033
Mac-DB15BD556843C820 | iMac17,1 | IM171.88Z.0110.B00.1708080012
Mac-4B682C642B45593E | iMac18,1 | IM181.88Z.0151.B00.1708080034
---------------------------------------------------------------------------
> Mac-BE088AF8C5EB4FA2 | iMac18,3 | IM183.88Z.0151.B00.1708080034 <
---------------------------------------------------------------------------
Mac-EE2EBD4B90B839A8 | MacBook10,1 | MB101.88Z.0154.B00.1708080122
Mac-BE0E8AC46FE800CC | MacBook8,1 | MB81.88Z.0168.B00.1708080033
Mac-9AE82516C7C6B903 | MacBook9,1 | MB91.88Z.0159.B00.1708080011
Mac-9F18E312C5C2BF0B | MacBookAir7,1 | MBA71.88Z.0171.B00.1708072210
Mac-06F11FD93F0323C5 | MacBookPro11,4 | MBP114.88Z.0177.B00.1708080033
Mac-E43C1C25D4880AD6 | MacBookPro12,1 | MBP121.88Z.0171.B00.1708080033
Mac-473D31EABEB93F9B | MacBookPro13,1 | MBP131.88Z.0212.B00.1708080127
Mac-66E35819EE2D0D05 | MacBookPro13,2 | MBP132.88Z.0233.B00.1708080034
Mac-A5C67F76ED83108C | MacBookPro13,3 | MBP133.88Z.0233.B00.1708080034
Mac-B4831CEBD52A0C4C | MacBookPro14,1 | MBP141.88Z.0167.B00.1708080034
Mac-CAD6701F7CEA0921 | MacBookPro14,2 | MBP142.88Z.0167.B00.1708080034
Mac-551B86E5744E2388 | MacBookPro14,3 | MBP143.88Z.0167.B00.1708080129
---------------------------------------------------------------------------
> WARNING: Your EFI ROM IM183.88Z.0058.B00.1705091711 is not up-to-date!! <
---------------------------------------------------------------------------

Anyone who upgrades to High Sierra will automatically receive the latest firmware update!

See also: https://pikeralpha.wordpress.com/2017/09/27/new-handy-script-called-efiver-py/

 

[rjohnstone]

If 95.8% of the Macs tested have an up-to-date EFI, I'd consider Apple's current distribution methods to be pretty effective.

The sample pools for this report were from managed systems in corporate environments.

The security firm analyzed 73,324 Macs used in production environments

Home users tend to be a lot more "relaxed" in maintaining their computer's software.
I suspect the consumer market would yield different results.

 

[Eklund66]

Depends on the 2011 model.
My mid-2011 iMac runs it just fine.

I got a iMac mid 2010 that works smooth with High Sierra, when posting.
[doublepost=1506720867][/doublepost]

it hurts me. update to High Sierra not possible. iMac 2011

I got a iMac mid 2010, no issues. Works like a charm.

 

[Soba]

Here's the official list from macOS High Sierra with the latest EFI firmware versions:

-----------------------------------------------------------------------
efiver.py v1.0 Copyright (c) 2017 by Pike R. Alpha
-----------------------------------------------------------------------

Thanks for posting this! Are you sure it's complete? I believe the 2010/2012 classic Mac Pro (MacPro5,1) also receives an update to work with APFS, but I don't see that listed here.

 

[JamesPDX]

Eh, Windows is trash software. Two PC's at my office have just flat-out had master boot records go missing amongst a myriad of other issues.

Q: Does the Windows 10 Pro edition have this issue, or just the Home edition?

 

[sdwaltz]

Q: Does the Windows 10 Pro edition have this issue, or just the Home edition?

Both were W10 Pro, in my case.

 

[JamesPDX]

Thanks for posting this! Are you sure it's complete? I believe the 2010/2012 classic Mac Pro (MacPro5,1) also receives an update to work with APFS, but I don't see that listed here.

But... Can you go back? If you want to revert to Sierra or Mavericks, etc. later, will that new firmware allow it? Or is it Borked to High Sierra?
[doublepost=1506725504][/doublepost]

if software developers got their stuff together and made software compatible/update i'd be more then happy to update but until then... i'm stuck on 10.12.3..

PSSSST i'm talking to you Sony... get your crap together!

Avid says what? Every GD time. Really, nobody at these companies can get a Beta and start working on their next release? https://www.sweetwater.com/sweetcare/articles/high-sierra-macos-10-13-compatibility-information/

 

[BeforeTheMeds]

Q: Does the Windows 10 Pro edition have this issue, or just the Home edition?

The wife and stepson both have windows 10 home that they have had since it came out, the wife knows nothing about maintaining a system and I do it for her. I pretty much have to do nothing. I have a mac that I have had several years and now I have a windows laptop with pro. I was running windows windows pro on the mac bootcamp for several years before that. I rate windows 10 on par with mac, even faster. The reason I went with the windows laptop was I can no longer see the 1500.00 more it would have cost me for a "comparable" MacBook pro with less ssd and memory.

People should go with what they like and I DO like osx, not going to knock it and will be keeping the mac, but windows 10 is a whole new ballpark compared to the old windows. I had a ton of problems with my mac until I dumped the spinner for the ssd. The mac WILL be going to a kids homework computer and media station.

This is from a guy that has all apple stuff. Phone, ipad, atv, mac. I DO have an open mind and do not worship brands though.