back to article Apple Mac fans told: Something smells EFI in your firmware

Pre-boot software on Macs is often outdated, leaving Apple fans at a greater risk of malware attack as a result, according to new research. An analysis of 73,000 Apple Macs by Duo Security found that users are unknowingly exposed to sophisticated malware-based attacks because of outdated firmware. On average, 4.2 per cent of …

  1. Dan 55 Silver badge

    EFI updates are delivered alongside OS updates... The problem I've noticed is if you skip a point update, it may not get installed when you later install a combo update.

    I've had to manually download the point update with the EFI update in question, extract the EFI update, and manually run it.

    1. Anonymous Coward
      Anonymous Coward

      EFI updates are delivered alongside OS updates...

      That's what I thought. So if you install the updates in order, your EFI firmware should be fine.

      1. Richard 12 Silver badge

        And it's nearly impossible to do this

        If I leave my Mac turned off or not connected to the internet for a week or two, I'll miss a point update.

        If I delay an update for a couple of weeks because I'm in the middle of something, I'll miss a point update.

        If I go on holiday...

        None of these things should matter because I should get all the updates next time. That's the whole point of automatic updates!

      2. Dan 55 Silver badge

        Combo updates are there precisely if you skip one or more point updates but it looks like they don't carry the EFI updates.

        I just checked my 2012 MBP. An EFI update which came out two years ago is missing, yet I'm running Sierra.

        1. Dan 55 Silver badge
          FAIL

          Obviously downvoted because Apple's patching doesn't work.

          Guess what. I downloaded the manual EFI patch and it needs 10.9.5. Just that version, nothing else.

          Apple dropped the ball with EFI updates.

  2. Naselus

    Mostly, I'm just amazed there's 70,000 Macs in use in Enterprise environments.

    1. chivo243 Silver badge

      I really wondered how they got access to that many Mac computers "legally"... I didn't see anything about "Enterprise" in the article.

      1. Lee D

        A cloud-managed network (e.g. Cisco Meraki) would be able to provide anonymised version information on all kinds of things without having to actually interfere with a customer's network.

    2. Lysenko

      "Creatives". People who think Adobe Illustrator is an IDE and HTML is a programming language. This isn't new: a couple of decades they would have been doing the same thing in Quark Xpress.

      1. fidodogbreath Silver badge

        "Creatives". People who think Adobe Illustrator is an IDE and HTML is a programming language.

        What does that have to do with firmware updates?

        1. Lysenko

          re: What does that have to do with firmware updates?

          The OP was wondering what all those Macs were doing at "Enterprise" sites.

      2. anonymous boring coward Silver badge

        It's "Creatives" with enough money to spend to get nice machines with nice screens, and a nice Unix based OS which isn't Slurp. Good for them.

      3. macjules

        "would have been doing the same thing in Quark Xpress"

        They WERE doing the same thing in Quark. A few years ago Quark added an HTML exporter so that your nice 200Mb EPS files could be exported as a 200Mb PNG file instead.

        Bandwidth? Mobile? Pfft.

    3. ThomH

      A Mac is: the UNIX laptop that's durable, supported for a prolonged period, readily available in bulk everywhere in the world, and safe to base a fleet on because it or the next model will still be available next year. As a result they're ubiquitous across Silicon Valley.

      1. Anonymous Coward
        Anonymous Coward

        "As a result they're ubiquitous across Silicon Valley."

        No, they're common there because apple is still seen as cool and trendy, nothing to do with it being Unix. The sort of people who want a proper unix laptop, ie not locked down (yet), doesn't use non portable niche Objective-C for system programming, differentiates by default between upper and lowercase in the file system, has X windows as default graphics system (yes that is a plus point for many people) and a usable GUI: not the archaic Finder bar with menu options scattered at random between Finder and the application windows, will just install Linux or *BSD.

        1. ThomH

          @boltar

          Trust me, the people who are actually paid to keep 10,000 employees in laptops have little emotional attachment to each machine. They just like to be able to stockpile them, swap them at a moment's notice, or even authorise a travelling employee to replace their own with a quick trip to the High Street.

          They're probably also aware that Objective-C has never been a systems language and isn't even the thing people use for UI development now. It is frustrating that Apple has its own language for UI development perhaps, but given that the alternatives are C# (Windows), Java/Kotlin (Android), C++ with a custom preprocessor (Qt), C (GTK), there's no trend being bucked.

          Apple's system languages of choice are C and C++. You can observe this from the open source kernel, or anything else Apple has ever open sourced. Such as their kernel. Or the Clang compiler.

          I have never before heard somebody simultaneously try to argue that randomised menu scattering is a bad thing and that X Windows is a good thing.

          1. Anonymous Coward
            Anonymous Coward

            Re: @boltar

            "Apple's system languages of choice are C and C++"

            Really? Well good luck doing any video or sound processing on OS/X without using any Objective-C. Yes, you have the core Posix API which is C, but everything else Apple specific system related is Obj-C.

            "I have never before heard somebody simultaneously try to argue that randomised menu scattering is a bad thing and that X Windows is a good thing."

            I find it amusing that in 2017 there are still people who don't understand the difference between the X server and the window manager that runs on top. Clue: The former provides the low level graphics API and networking, the latter provides the GUI. Menu scattering has the square root of bugger all to do with the X server.

            1. ThomH

              Re: @boltar

              Apple has all-but deprecated Objective-C. Objective-C's only substantial surviving use in new development is that via Objective-C++ it bridges to C++ slightly more easily than does Swift, though an alternative route through C may be more desirable — one can now annotate appropriately to produce an object interface in Swift as desired; it has always been able to make plain C calls because, as mention that you are aware, Apple's Core frameworks are generally plain C.

              As a daily X user it is hard not fully to be aware of the distinction, I just pointing out the juxtaposition of a claim that inconsistency is problematic and a claim that X is essential. My work machine is Ubuntu MATE but I spend a lot of time NX'd across to a RedHat machine running a distinct version of GNOME. Then Eclipse on the NX'd machine for most of the actual work. So in net I deal with a completely incoherent UI. The Mac I used in my previous job at one of the 50,000+ head Silicon Valley companies was infinitely more consistent. But you'd be an idiot to use a Mac as a back-end server, and I've experimentally switched which side I develop for, so here I am.

              I've actually been a Mac user for over a decade. I think inconsistency probably peaked somewhere around 10.4 or 10.5, when you'd frequently see at least three types of window chrome just on Apple's own apps (brushed metal being the oddest detour, but unified versus non-unified toolbars ran for a while, and drawer interfaces took a while to die off). I really don't see that an open minded user would have any cause for confusion.

              1. Anonymous Coward
                Anonymous Coward

                Re: @boltar

                "it has always been able to make plain C calls because, as mention that you are aware, Apple's Core frameworks are generally plain C."

                Well Carbon is deprecated and any low level C API calls are either poorly or not documented at all.

                "I just pointing out the juxtaposition of a claim that inconsistency is problematic and a claim that X is essential"

                They're completely seperate issues and given that with X you have a choice of half a dozen main desktops and dozens of minor ones I can't see what the issue is. Don't like Gnome? Use KDE. Don't like KDE either? Use twm. Whats the problem?

                As for X networking, I'll admit its of little consequence to most users, but it is extremely useful for power users like myself to just remote excute an application that appears on my local desktop. Of course the Wayland devs are trying to convince everyone that graphics networking is irrelevant because its too hard for them to implement. They're not fooling anyone.

            2. anonymous boring coward Silver badge

              Re: @boltar

              "I find it amusing that in 2017 there are still people who don't understand the difference between the X server and the window manager that runs on top."

              Let's be honest here. I love Linux too, but there is not much to admire about the desktop environment in Linux -regardless of distro or window manager. It's a bit of a mess. You really do need to try to force apps to comply with some common GUI rules. Luckily, most people only ever use a couple of programs -mainly a web browser and email, so it's less of a problem now than it used to be.

              P.S: I suspect the poster you replied to was thinking about the overall GUI experience, rather than the actual X server. BTW, no window manager in the world can make Linux programs consistent with each other. Back in my days it just managed windows, and put some decorations and window management buttons around them. Not sure if they try to do a bit more today..

        2. Orv Silver badge

          I used to use a Linux laptop for my sysadmin work. The problem is laptop hardware and Linux really don't get along, and at some point I got tired of fighting the machine I was supposed to be using to fix other broken machines. I switched to MacBooks and haven't looked back. It has a terminal emulator, it can run SSH-forwarded X-windows apps...it does what I need it to do, and it doesn't break all the time.

          Trust me, after years limping along running Linux, just having a machine that would reliably resume after being suspended felt like a huge luxury.

          1. Lysenko

            The problem is laptop hardware and Linux really don't get along

            My local DIY store doesn't stock brushes that wide. I have two Dell and one HP laptop, all with Mint and they all resume perfectly reliably (one of the Dells resumed last week after idling for over a month) and only one of them ever required any manual jiggery pokery (PulseAudio - quelle surprise) and that was just to tweak the configuration file.

            Mostly I use Win10 because mostly I'm doing something or other in Visual Studio, but if I'm working the embedded part of the stack (gcc cross compilers, Yocto) or the servers (CentOS, Ubuntu) then I'm in Linux all the time. The only thing I've seen a Mac do that won't work elsewhere is a storyboard tool (Scribble or Sketch or something like that) and that's not something I'm interested in.

            1. Orv Silver badge

              I have two Dell and one HP laptop, all with Mint and they all resume perfectly reliably (one of the Dells resumed last week after idling for over a month) and only one of them ever required any manual jiggery pokery (PulseAudio - quelle surprise) and that was just to tweak the configuration file.

              I'm glad you've been so lucky. My experience has been that every install had nagging issues, and what worked from the start frequently broke after upgrades. And it's not that I'm inexperienced; I first started trying to run Linux on laptops in about 1997. (Back then you had to hand-code modelines to try to get X11R6 to drive LCD panels properly.)

              I've had a lot of problems with things like WiFi failing after suspend/resume, and requiring a reboot to fix, that kind of thing. (Sound only rarely worked for me, but I didn't care about that for work purposes.) The kind of stuff you can work around in a casual context, but that quickly becomes annoying when you're trying to get work done. From what I gather, Linux's suspend/resume architecture relies on every single hardware driver properly resetting on resume, and if one of the ones your machine needs is sloppily coded, you're out of luck.

              I will grant that if you manage to get everything working, then don't ever install a kernel update, it will be fairly trouble-free. But I prefer to have my machines fully patched.

              1. Anonymous Coward
                Anonymous Coward

                @Orv

                "I've had a lot of problems with things like WiFi failing after suspend/resume, and requiring a reboot to fix,"

                With linux you can unload then reload kernel modules on the fly. That generally fixes almost all driver issues that in other OSs would require a reboot.

                1. Orv Silver badge

                  Re: @Orv

                  With linux you can unload then reload kernel modules on the fly. That generally fixes almost all driver issues that in other OSs would require a reboot.

                  Not all drivers are written to allow them to be unloaded, and not all of them can re-initialize hardware properly without a reboot. Also, having to run commands in a terminal every time I resume a machine from sleep is the kind of amateur hobbyist OS annoyance that I'm trying to get away from, so I can focus on my actual job.

                  Mind you, spending a few days trying to get video configured right on my laptop was great fun 20 years ago when it was my hobby. Now that I maintain Linux servers for a living, the last thing I want to do is play with it at home. Too much of a busman's holiday.

          2. kryptylomese

            Linux runs on more diverse hardware than any other operating system. You have had issues with a particular model of laptop so instead of finding a well supported model (most are nowadays BTW) you switch operating systems to something that you have a game trying to compile code on for the system that will actually run it.

            Most of the devs (and Sys Ops/Dev Ops guys) I know use Linux on their laptops with only the junior kids who care more about fashion that use a Mac.

            Linux is a superb professional desktop environment. Solid, reliable, performant, secure and updates are seamless (you don't even need to reboot your machine to install them). If it is good enough for all of google....

        3. Anonymous Coward
          Anonymous Coward

          @boltar, you've never actually used a Mac in an Open Source context, have you?

          A Mac is the perfect combination between a desktop that is supported by many good software providers but is not Microsoft Windows and Open Source. Macs talk Open Standards by default and support most Internet programming languages out of the box (perl, php et al). To develop on a Mac will cost you some money if you want to sell to others, but it's quite a small amount because you do not have to cough up for any software to develop for the whole Apple eco system - that is free.

          My developers choose for something that allows them to get work done in an Enterprise setting, which means they need stuff that is stable and can even be replaced in full on a moment's notice. Until such time as Microsoft stops gaming the hardware world (you didn't think the PC switch from BIOS to UEFI was problematic for Linux by accident, do you?), Macs are the perfect tool to actually get any work done in a pleasant and always functional environment.

          You're welcome to your "yet another PC laptop I had to hack to get Linux stable and God help me if they have not released Linux drivers" world, our guys just want to buy a machine, load up an editor and get to work. If it breaks, it takes very little time to replace the machine (anywhere in the world) and spool back their backup because they do not have any OS and firmware battles to fight along with it.

          If you see Mac use as elitist, trendy and too cool for you, you're really telling me you're not able to assess facts objectively, waste time and have an attitude problem. Or, translated, hard to employ in a commercial setting.

          1. Anonymous Coward
            Anonymous Coward

            "You're welcome to your "yet another PC laptop I had to hack to get Linux stable and God help me if they have not released Linux drivers" world"

            I installed slackware 14.2 on my laptop. Everything worked first time, the only thing I needed to do was download some printer drivers. YMMV.

          2. serendipity

            @anonymous coward : "Until such time as Microsoft stops gaming the hardware world (you didn't think the PC switch from BIOS to UEFI was problematic for Linux by accident, do you?)"

            A bit ironic that you're posting on a thread about Mac EFI firmware, and b*tching about UEFI!!

            1. Anonymous Coward
              Anonymous Coward

              A bit ironic that you're posting on a thread about Mac EFI firmware, and b*tching about UEFI!!

              Not really. I am one of the select few on this forum that have been using Microsoft products since PCs clones came with a turbo button, so I am very familiar with all of Microsofts machinations throughout the decennia (yes, that long). As it so happens, I am also a big fan of Open Source for simple, sound operational, financial and interoperability reasons, so I think I speak with a fair bit of experience in the matter when I say that the whole UEFI game was rather transparent for those who have seen it all before.

              As for Macs, I just don't buy the holier than thou attitude that some people have against Macs if it is not based on solid arguments. We deal with a LOT of people who cut code for a living, and some use Macs and some use PC. For us, Macs work, and we can use the same environment for everyone. It makes sense from so many perspectives that it would be silly not to do it.

              1. serendipity

                @Anonymous Coward

                If you're one a "select few" then I must be one of a "very select few" who goes back way beyond turbo buttons to when clones were referred to as IBM PC clones! And that's the key here, the old PC BIOS had a design that dated all the way back to the original IBM PC - okay it had been tinkered with over the years but it was basically still a 1980's design. SO I don't get why you're b*tching about UEFI yet don't complain about EFI on Macs. Something had to be done to update the PC BIOS design and an enhanced version of EFI has been a good solution, and in spite of all the moaning and conspiracy theories when it was introduced it is supported by lots of open source OSes.

                As regards the "Macs work" argument, it some how implies that PC's don't and it's hard to set up development environments under Windows or Linux. All I can say is if you find it that hard, perhaps you should consider another calling ;)

                1. Anonymous Coward
                  Anonymous Coward

                  Something had to be done to update the PC BIOS design and an enhanced version of EFI has been a good solution, and in spite of all the moaning and conspiracy theories when it was introduced it is supported by lots of open source OSes.

                  I am well aware of just how much work that took. That support took a LOT of reverse engineering.

                  As regards the "Macs work" argument, it some how implies that PC's don't and it's hard to set up development environments under Windows or Linux. All I can say is if you find it that hard, perhaps you should consider another calling ;)

                  Nice one :). I said "Macs work for us", so the implication lies elsewhere. I find macOS as a desktop a lot easier from a corporate perspective because I have one desktop for all, yet it is perfectly capable of supporting a Linux dev. with many corporate benefits of doing so.

                  Could we do the job with Linux based PCs? No doubt, but then I have two separate machine pools, with only one I have some guaranteed server model for because there's no telling what chipset the next laptop is going to have (i.e. which battles I have to fight now), unless I buy a stack of them + spares. With a Macbook I know exactly what I'll get, and it takes very little effort to load it up with the software list.

                  It's not hard, but it's simply more work. This ventures into the same discussion about macOS vs Windows when it comes to security: both can be secured, but the amount of effort it takes to make it secure and keep it that way differs substantially. I rather have a dev coding than tweaking desktop settings or trying to get some laptop feature to work.

          3. serendipity

            @anonymous coward - "If you see Mac use as elitist, trendy and too cool for you, you're really telling me you're not able to assess facts objectively, waste time and have an attitude problem. Or, translated, hard to employ in a commercial setting."

            Or maybe boltar is a bit more commercially astute than you obviously are and sees the danger of being locked into one (high handed, expensive) supplier for both software and hardware. Does it not worry you that if Apple suddenly shifts direction and drops your preferred macbook size/type you literally have nowhere else to go! Apple: closed software + closed hardware = lock-in!

            1. Anonymous Coward
              Anonymous Coward

              Or maybe boltar is a bit more commercially astute than you obviously are and sees the danger of being locked into one (high handed, expensive) supplier for both software and hardware

              Why do you think we like Open Source? We don't even use Microsoft Office (I think we have one copy for compatibility reasons). If Apple wants to change direction, fine, we can still go for PCs. I don't think so, though, because the upwards trend in Mac spending is exactly because other companies are starting to figure out what we saw some 5 years ago.

              This is why we stick with COMMERCIAL reasons for a platform choice. It's based on facts. We don't care about the clubby thing other than that it's occasionally entertaining.

              As for "closed" source, we found macOS integrates well with a *nix based backbone, even from an office perspective (imap/smtp/caldav/carddav/webdav). Only for SCP we had to get some software to stick a GUI on it (the command line has it built in).

            2. Orv Silver badge

              Or maybe boltar is a bit more commercially astute than you obviously are and sees the danger of being locked into one (high handed, expensive) supplier for both software and hardware.

              It's actually not that bad. Very little of our software is actually Mac-specific. A lot of it just runs better on Macs. (UNIX-y stuff like TeX and SAGE, for example, is a lot closer to the environment it expects to run on on a Mac than it is on a Windows machine. No, Cygwin is not even remotely the same thing.) The machines speak standard protocols like LDAP and SMB. If Apple vanished tomorrow we wouldn't be any worse off than we'd be if we'd gone with Windows to start with.

      2. Anonymous Coward
        Anonymous Coward

        readily available in bulk everywhere in the world

        Don't forget "with support everywhere in the world" - it's one of the major benefits of a Mac that there are many places where you can get help and have something fixed or even replaced. It means you have to hold very little stock in your company.

        That used to be the reason we used Thinkpads, but since we switched to Macbooks and macos our per user TCO has dropped quite a bit (not just on the hardware, resource overhead costs are way down as well). If only our management wasn't addicted to Microsoft Office, but some things are just too hard to change - at least we got them to switch with a combination of cost calculations and shiny :)

        1. Orv Silver badge

          Don't forget "with support everywhere in the world"

          That's such a luxury, TBH. Someone's on a trip and they break the screen on their laptop, just send them to the nearest Apple Store. They're basically the only machines you can still get repaired in person.

      3. find users who cut cat tail

        > A Mac is: ... durable

        Not according to my experience. These things break as often as anything else.

        1. Anonymous Coward
          Anonymous Coward

          Not according to my experience. These things break as often as anything else.

          It depends how you treat them. We log who breaks machines often and move them onto our inheritance list: they don't get new machines, they get the cast-offs of those who treat machines properly and so get cycled onto new machines according to our write-off model.

          We would love to mark those machines as cast-offs, but that gets in the way of APple's return policy (yet another reason we use Macbook: no environmental policies to worry about - the money back is more of a bonus).

          Those who dislike Apple's laptops are either unable to afford the startup costs (so it's sour grapes), or don't know how to count. The total TCO figures don't lie, especially if you're able to ditch Microsoft completely in the process.

    4. razorfishsl

      IBM did a MASSIVE install of over 100k macs.

      That is being managed by some system i forget the name of (they have a video).

      but that system tracks all aspects of the macs

      1. Anonymous Coward
        Anonymous Coward

        That is being managed by some system i forget the name of (they have a video).

        The management software to go for is Snow software, a Swedish product. Some UK police forces use it to also manage their iPhones because it's very fast and secure and integrates that management with PCs and Windows architecture (its core unfortunately runs on Windows Server, which is why we had to brew our own instead - we have an explicit ban on Windows for any server based activity).

    5. Orv Silver badge

      They're extremely popular in higher education, and any good-sized college is enterprise scale.

      1. Nattrash

        @Orv

        Your view is a bit challenged geographically I'm afraid. Yes, for the US I agree with you. But for universities in the EU it is PCs most of the time due to budgetary reasons. And this is not just your admin or student-writing-thesis box, but also boxes connected to really savvy kit...

  3. SuccessCase

    You can’t look at version numbers alone and conclude anything. I deal with driver and Firmware updates all the time in my development work. And we frequently run older versions because they are better for what we need. The patched security holes may relate to hardware options that are not used, or may be a hole already determined to lead nowhere exploitable on the Mac sytem. This can only be determined by detailed analysis. You can be sure someone in Apple is doing precisely that. I know from bitter experience, automatically jumping on the latest firmware is not the best way to ensure quality or security and rational analysis of the facts on the ground usually leads to a far more conservative decision than many would appreciate. The idea this external Security Firm can tell how secure a system is from looking at percentages of machines with firmware version x is frankly pretty unprofessional. These outfits always seem to be turning out this kind of a report in the hope of gaining publicity.

  4. Anonymous Coward
    Anonymous Coward

    EFI - Envisioned For Intrusion

    Ah for a BIOS that had a jumper to prevent flashing.

    1. Anonymous Coward
      Anonymous Coward

      Well, not a jumper, but I challenge you to get any data off my Macbook or reflash its EFI without my permission or knowledge.

      It's had all EFI updates applied as soon as they appeared (well, after a week's waiting time to see if any bugs showed up), it has Filevault active and (very important) it has a boot password set. Short of desoldering parts, the machine is useless and unsellable without it (another benefit of the new Macbooks - they now only have spare parts value for any thief because it's simply impossible to change ownership without the owner's active collaboration).

      We now mandate Macbooks for anything to do with security and data protection because they're so easy to protect. Even the people who travel and use an external USB backup disk are safe as we encrypt that disk - that's invisible to the user unless they try to plug it in somewhere else.

  5. Anonymous South African Coward Silver badge

    Hackers and other ne'er-do-wells surely is spoilt rotten nowadays - they got a lot of targets to pick and choose from.

    1. Anonymous Coward
      Anonymous Coward

      That's the cunning plan. Give them so many targets they get confused and give up.

      Why else is IoT security so bad?

  6. Anonymous Coward
    Anonymous Coward

    Mac Pro

    "Mac sysadmins too often ignore the importance of EFI firmware updates"

    What firmware updates?? I run a Mac Pro workstation, and I have not seen an EFI update since I think the year I bought it!

    I am under the impression the Apple doesn't bother issuing firmware updates for hardware than a couple of years - you are apparently supposed to be rich or stupid enough to throw away your perfectly good hardware and buy the latest model every other year.

    1. BebopWeBop

      Re: Mac Pro

      Mine (on a 4-year-old machine) have come along with another upgrade - although some other commentard pointed out that this is not necessarily the case if you delay/ignore upgrades which would seem to be a significant problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mac Pro

        Any idea then why does the EFI on the older Mac Pros never get updated to recognise any of the newer Nvidia graphics cards? My early-2008 Mac Pro boots with a black screen due to this. The drivers are definitely being added to OSX pretty regularly, just not to EFI.

    2. James O'Shea Silver badge

      Re: Mac Pro

      "I am under the impression the Apple doesn't bother issuing firmware updates for hardware than a couple of years"

      You would be mistaken. The five-year-old Mac this is being typed on got a firmware update last month.

  7. Slap

    Perhaps I can offer an explaination

    Perhaps I can offer an explaination as to why this is so, especially in SMBs and corporates.

    And that explaination is Deploy Studio. Deploy Studio offers a very fast, easy, and efficient way to image and distribute a standard installation over an internal network

    However Deploy Studio is basically a cloner. It’s a bit more advanced than that in that it’s able to fully update the system while doing the clone, but it does not update the EFI.

    In order to update the EFI you need to run the actual system installer, which can take upwards of thirty minutes, or longer. A Deploy Studio clone takes around 5 minutes to complete, if not less. So for a Mac admin it’s a no brainer to use Deploy Studio. OK, at least it was when firmware updates were still offered over the Mac App Store.

    These days EFI updates are only provided at the point of installing, or upgrading, a system using the official Apple installer (App or pre prepared media), which given the install times means that a lot of Mac admins are going to bypass that in favour of cloning a system.

    Even I’m guilty of this when put in time pressure situations, like when we have just a Sunday to roll out an update to 300 seats.

  8. sldonaldson

    Apple - trying to make it too easy

    First off 'what version of EFI / SMC (might as well check both) firmware am I running?

    Click the Apple icon (top left), About This Mac, System Report, Hardware (very top in left hand menu) look for Boot Rom Version, SMC Version. Not that hard....

    And where, where are the current versions now that this article has 'raised awareness' ?

    Apple has this deprecated article: https://support.apple.com/en-ph/HT201518

    BUT apparently is bundling the updates automagically. So now we don't truly know. Very Strange apple.

    Can one remotely (over a network ...say with ...nmap/nessus etc) determine the firmware version?

    Notice the depth of information...systems over 8 yrs old are still supported. And largely function!

  9. WolfFan Silver badge

    Hmmm

    Old page on Apple's site:

    https://support.apple.com/en-us/HT201518

    this seems to list an awful lot of EFI updates. It's no longer updated, though. However, there is this:

    https://www.macobserver.com/news/macos-high-sierra-performs-efi-security-check/

    It seems that if you install High Sierra, you will get a system which checks your EFI and updates it if necessary. Furthermore, HS will, apparently, check your EFI on a weekly basis. Those who can't or won't update to HS may want to have a look at the Apple support page referenced earlier.

  10. Kevin McMurtrie Silver badge

    Desktop IT

    Desktop IT departments like to install lots of junk on desktops in the name of security - virus scanners, remote control, remote wipe, IP and licensing scanners (disguised as backup software), helpdesk tools, obfuscated authentication tokens, etc. These fragile hacks break with OS upgrades so the IT department blocks them.

    Yes, I'm talking about MacOS. The Windows experience is now multi-platform.

  11. kirk_augustin@yahoo.com

    First of all, it has been UEFI since 2005. EFI is the old 2002 name for Unified Extensible Firmware Interface.

    Second is the whole point of security is that an automatic update of UEFI is not supposed to be allowed. If the boot firmware can be automatically updated from the outside, then ANYONE can do it.

    It should never be allowed.

    I have seen hackers reflash the boot code, and there really is no way to ever recover from that. All the hacker has to do is rewrite the boot code to prevent reflashing. Then the only way to recover is to physically replace the eprom.

  12. ntsmkfob

    Interesting that Apple have made firmware version checking a critical part of the upgrade to High Sierra.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like