Critical EFI Code in Millions of Macs Isn't Getting Apple's Updates

Andy Greenberg, writing for Wired:At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

Re:Only LUDDITES use EFI.

[aicrules]

That was a pretty weak attempt at emulating the Luddites App spam post...

When will be free of the Overlords?

Just give us control over our own damn equipment! Let us form our own communities that will service these machines as necessary.

Why is everything shrouded in a goddamn fucking mystery? WHY?!

Re:When will be free of the Overlords?

So Apple can continue to use the words "Magical" and "Revolutionary" at their press conferences.

Re:When will be free of the Overlords?

[DontBeAMoran]

No, that was the Steve Jobs' era.

Under Tim Cook, it's "courage" and "wait until you see what we have in the future".

Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

Re:When will be free of the Overlords?

I'd love a 2017 mac min update... we can all hope.

Re:When will be free of the Overlords?

[mattgoldey]

Same. I want a mini but don't want to buy 4 year old hardware.

Re:When will be free of the Overlords?

[erapert]

Because fools continue to buy and support proprietary hardware and software.

Re:When will be free of the Overlords?

[Ungrounded+Lightning]

Why is everything shrouded in a goddamn fucking mystery? WHY?!

To make it harder for ordinary citizens to identify, work around, or replace the spyware/controlware built into the core of their machines.

At least Intel and AMD admit it's there.

(Of course that's because they sell some access to it as a feature, to corporate IT departments, who use it for remote administration and monitoring of their companies' computing infrastructure and individual users.)

Re:When will be free of the Overlords?

[TheFakeTimCook]

I'd love a 2017 mac min update... we can all hope.

Almost assuredly in 2018, along with the Modular Mac Pro.

Re:When will be free of the Overlords?

[dgatwood]

Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

No, the last actual Mac Mini was Macmini6,2 (2012). The 2-core 2014 "Mini" was Apple Hardware Engineering's idea of a great practical joke.

(Thanks, Intel, for using a different pinout for your four-core Haswell chips, making it financially infeasible for Apple to build both a low-end Mini and a decent Mini with the same logic board design. I blame you for my servers being half a decade old and counting.)

Re: When will be free of the Overlords?

You're in charge at Apple?

Re: When will be free of the Overlords?

Blame Intel!

(and before them, Motorola)

Re:When will be free of the Overlords?

[infolation]

Then let it be known that the macbook1,1 and 2,1 can run libreboot instead of EFI.

Re: When will be free of the Overlords?

Ahahahahahahahahahqh

Literally nobody else has trouble designing for two sockets, and they're not charging the premiums.

If you think that tiny engineering feat stopped them from making it cheap or at all...

Let me continue laughing

Re: When will be free of the Overlords?

You're in charge at Apple?

The parents estimates are based on history. Once hardware gets way too fucking old and chastised enough by the public, it gets a refresh.

Re: When will be free of the Overlords?

[dgatwood]

The Mac Mini had relatively low sales volume, mostly concentrated at the low end. Sure, they could have designed two different versions of the motherboard, but the additional sales would likely not have covered the extra R&D expense, much less the impact of pulling engineers off of other products (with orders of magnitude higher sales volume) to work on it.

Additionally, I suspect they hoped that the low-end versions of the trashcan Mac Pro would reduce the call for high-end Mini hardware. That has not happened, for a number of reasons (size, cost, and lack of storage being the big ones), but I think that was the working theory at the time.

Re: When will be free of the Overlords?

Yet you blame Intel because the wildly profitable Apple didn't find it profitable to make the machine you want.

Stop and think about it. If its ANYONES fault, its Apple's fault.

Re:When will be free of the Overlords?

[AHuxley]

AC if people have control then the security services have to work harder.
"New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs" (3/24/2017)
https://arstechnica.com/inform...
DarkSeaSkies, DarkMatter (EFI injection), SeaPea (kernel access), NightSkies (key logging).
Think of all the computers that got the security services package that might still exist.
Going back and having users globally create reports and publish their strange and unexpected results.
Best just to have later hardware looked at that is all clean and no unexpected reports will surface.

Re: When will be free of the Overlords?

[dgatwood]

Yet you blame Intel because the wildly profitable Apple didn't find it profitable to make the machine you want.

I blame Intel because they used the same pinout for 4-core laptop CPUs as for 2-core in every generation of laptop chip prior to Haswell, and I think in every generation after it as well (except possibly the Broadwell die shrink). Somebody at Intel apparently said, "Oh, it doesn't really matter because laptop boards are all one-offs anyway and nobody upgrades laptop CPUs", and then found out the hard way why they were wrong.

I blame Intel because they could very easily have made their chips pin-compatible for almost no difference in R&D or manufacturing cost, and distributed that tiny cost across hundreds of millions of units, whereas the cost of building and certifying a new motherboard design is huge, and cannot be easily distributed across the much smaller profit from a single model of computer.

Look, I'm the first person to give Apple a hard time when they screw up (just look at some of my rants over the years, and you'll see what I mean). And I do agree that they screwed up by not biting the bullet and building a four-core model anyway. That said, it would have been trivial for Intel to do it right, and it would have been several orders of magnitude more expensive per unit for Apple to work around their design screw-up. So I don't blame them for telling Intel, "Screw it. We'll pick up your four-core chips again in Kaby." I'm just hoping they get around to picking back up the four-core chips in Kaby Lake (or, ideally, they could make it a point for the next Mini to *not* be an entire generation behind for once, and wait to ship a four-core Mini with Coffee Lake, but I'm not holding my breath).

Re:When will be free of the Overlords?

[MoarSauce123]

That is when the illusion of Apple being a superior company makes "poof", Apple is no longer innovative, they are no longer a computer company, they do well with consumer electronics. Apple does claim they make inroads into enterprises, but that is mainly forced because any company that wants to create an iOS app has to have at least one Mac to compile the code on. With such brute force tactics it is easy to bully into a lot of businesses. As far as product quality goes, Apple is as good or bad as any self-built PC with off the shelf parts. As far as production execution goes, Apple is utterly dismal having constant delays in delivery for every single product they put out. What is worse, they have all these issues with a very closely guarded and very limited ecosystem. It is not like Windows or Linux that are expected to run on any hardware configuration. Apple made it easy for themselves and that leaves no excuse for such screw ups. Apple is just one of the many electronics giants in the world. They are no longer special!

Re:When will be free of the Overlords?

[MoarSauce123]

Especially when it comes at a price that is four times as much as the sum of the off the shelf parts.

Re: When will be free of the Overlords?

[WorBlux]

Both form factors suck. Admit that thunderbolt isn't quite right for the professional, and introduce an ATX and micro-ATX form factor alongside the mini, with Xeon E5, E3, and pentium respectively.

Not a big deal.

Even older version of EFI should run newer OS systems just fine. And really, any vuln in the EFI is going to be of the sort that requires physical hands on device to exploit. If that's the situation you're in, you have much larger problems my friend. Apple probably understands this and hasn't bothered to throw a lot of resources at what really is a non-issue.

Re:Not a big deal.

[SQLGuru]

You'd be surprised at how many computers you can get physical access to without much effort........some of which control or can get access to more things than you realize.

Apple's solution

[DontBeAMoran]

Apple's solution is probably "buy a new Mac". Tim Cook said himself that Apple products are not for the rich so buying another $1000+ computer every year or two shouldn't be a problem for anyone. Next up: Tim Cook doesn't understand the meaning of "rich" compared to the rest of the population.

Re:Apple's solution

[Mordaximus]

Apple's solution is probably "buy a new Mac". Tim Cook said himself that Apple products are not for the rich so buying another $1000+ computer every year or two shouldn't be a problem for anyone.

Next up: Tim Cook doesn't understand the meaning of "rich" compared to the rest of the population.

Except that the people who upgrade their Macs every year or two are few and far between. Apple knows this well. That said, TFA even mentions the EFI update failed on certain percentages of NEWER systems, like the 2-16 MacBook. To wit: " And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates."

This doesn't sound nefarious to me, it sounds more like there's a hiccup in the update process, which thankfully doesn't render the system a brick when it fails. Naturally something that needs to be addressed though.

For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

Re:Apple's solution

[DontBeAMoran]

For what it's worth, my posts are made from a 2010 Mac mini, which in the past seven years had its RAM upgraded twice (from 2GB to 8GB, then to 16GB) and hard drives upgraded twice too (from 320GB to 750GB, then dropped the optical drive to add an SSD).

Re:Apple's solution

For what its worth I'm reading your posts on an iMac - Retina 5K, 27-inch, Late 2014, 4GHz Core i7 and 1TB SSD.

Been in IT desktop support circles for 20 years in several different industries, its the most wonderful machine I've had the pleasure of using. For laptops, the 2017 MB Pro 13" is now at a size/weight/performance and refinement that just makes you go wow!

Re:Apple's solution

[TheFakeTimCook]

For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

I second this!

My newest Apple Computer is a 2012 nrMacBook Pro with a spinning-rust HD (that hasn't failed yet). It looks and works exactly the same as when I bought it in May, 2013.

Out of all of my Apple-owning friends, I don't know any that are on the "Upgrade Treadmill" that Slashtards like to constantly allude to. One did just buy a 2017 MBP, but her previous MBP was a 2009 model, and the other recent Upgrader bought himself a 2016 MBP as a retirement gift. That replaced his 2007 MBP.

I even have a friend that still rocks a frickin' PPC G4 TiBook, and I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

Re:Apple's solution

2010 Mac Pro, and IMO the last decent Mac was made in 2012.

Re:Apple's solution

"I run a 2005 G5 Tower"

Due to their horrible power efficiency it would probably be more cost effective to replace that beast. Those things were thirsty for electrons.

Re: Apple's solution

How is there a hiccup in the update process?

There's literally two or three models every 3 years. Nobody else seems to be having that trouble updating just 10 devices...

Re:Apple's solution

for what its worth no one gives a flying fuck

Re:Apple's solution

For what it's worth the max memory upgrade to a 2010 Mac Mini is 8GB, and replacing the hard drive is non-trivial - doable, but not for the working man. Maybe you have a different model?

Re:Apple's solution

[DontBeAMoran]

Nope, mid-2010 Mac mini. Officially the maximum is 8GB because when it was released the biggest SODIMMs available were 4GB. After an EFI update, the maximum went up to 16GB.

Re:Apple's solution

[Gr8Apes]

2012 mini and pro for sure. MacBook Pros are 2016.

Re:Apple's solution

[Gr8Apes]

However, you need to buy very very specific RAM for the 2010 - PC3-8500 CL7 DIMMs for stable 16GB operation. Oh, and mine is at the current EFI level for that platform, as are my other systems. I checked them all.

Re:Apple's solution

[Gr8Apes]

I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

A 2010 mini used to do that for me, at a fraction of your power draw. It used to serve as my HTPC as well. Now it's a 2012 quad i7 to handle all that and more.

Re:Apple's solution

[TheFakeTimCook]

I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

A 2010 mini used to do that for me, at a fraction of your power draw. It used to serve as my HTPC as well. Now it's a 2012 quad i7 to handle all that and more.

I would have loved to do that with a mini, and in fact, I spec'ed a 2010 mini to do just that for a friend of mine. Still working quite nicely, too. But The G5 Tower was just languishing, having been replaced by my 2012 nrMBP as my "daily driver", and I didn't want to spend the coin on a mini for a non-essential function.

Why does one need to depend on Apple, anyway?

If Apple doesn't want to throw resources at it, then fine.

But why can't I throw resources at it? Give me the source code of the firmware, and allow me to install an upgraded version in my own time.

Re:Why does one need to depend on Apple, anyway?

[DontBeAMoran]

Here's the source for everything:
0
1

Re:Why does one need to depend on Apple, anyway?

It comes down to that thing we all like to bash here: IP. Whether you are in the Intellectual Property camp or the Imaginary Property camp is irrelevant. Most of these pieces of code have code in them that is under someone else's patent and with a license granted to Apple and Apple (and other companies who have similar issues with their products) are not at liberty to give out the code. So we are stuck due to IP.

Re:Why does one need to depend on Apple, anyway?

[guruevi]

You can, there is TianoCore, Libreboot, Coreboot.

Not like anyone even bothers, any bugs in UEFI are only important if you have access to the hardware.

Say what you will about MS

[thegarbz]

but one thing I see surprisingly frequently on the Surface Pro is EFI firmware updates.

That can be seen as a good thing and a bad thing. One would hope these are feature updates and not such a long list of critical vulnerabilities but .... Microsoft.

Re:Say what you will about MS

[110010001000]

Probably the NSA provides updates to MS frequently.

Why did you bother writing that reply? Why?!?

Your comment is not funny, interesting, or helpful; your comment is entirely a waste of cyberspace. The next time you feel compelled to write such a banal comment, don't.

Re:Why did you bother writing that reply? Why?!?

He was just giving his two bits

Re:Why did you bother writing that reply? Why?!?

Your comment is not funny, interesting, or helpful; your comment is entirely a waste of cyberspace. The next time you feel compelled to write such a banal comment, don't.

His reply was WAY better than yours. Maybe you should take your own advice and STFU.

Perspective

[Known+Nutter]

From TFA:

While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

But don't let that stop a good Apple ass-whoopin'... carry on.

Re:Perspective

Except in the Linux and Windows world you can update your BIOS (which is all EFI is, a special Apple-only BIOS intended to block people from running Linux on Apple hardware) yourself. You can even in some cases run open source BIOSes. Because Windows and Linux isn't a monoculture of identical hardware, it's much less likely that any given exploit will run on all Windows and Linux machines.

Basically this really isn't that big a deal for Windows and Linux because the hardware is much more open. With Apple, if Apple doesn't fix security bugs, you're screwed, because you can't just replace the hardware.

Re:Perspective

[bill_mcgonigle]

But don't let that stop a good Apple ass-whoopin'... carry on.

You're buying Apple for an integrated hardware/software experience. It's their responsibility for keeping their hardware firmware up to date and secure.

Microsoft doesn't have that responsibility in the PC realm. The downside is you have to do it yourself. The upside is that's between you and your mobo vendor, and you can do it without Microsoft's involvement.

Apple needs to keep its end of the bargain if it wants to tout the additional value of its vertical solution.

Re:Perspective

Except in the Linux and Windows world you can update your BIOS (which is all EFI is, a special Apple-only BIOS intended to block people from running Linux on Apple hardware) yourself.

Wow, you have no idea what you are talking about, do you?

Unified Extensible Firmware Interface: History

The original motivation for EFI came during early development of the first Intel–HP Itanium systems in the mid-1990s. BIOS limitations (such as 16-bit processor mode, 1 MB addressable space and PC AT hardware) had become too restrictive for the larger server platforms Itanium was targeting.[6] The effort to address these concerns began in 1998 and was initially called Intel Boot Initiative.[7] It was later renamed to Extensible Firmware Interface (EFI).[8][9]

In July 2005, Intel ceased its development of the EFI specification at version 1.10, and contributed it to the Unified EFI Forum, which has developed the specification as the Unified Extensible Firmware Interface (UEFI). The original EFI specification remains owned by Intel, which exclusively provides licenses for EFI-based products, but the UEFI specification is owned by the Forum.[6][10]

Version 2.1 of the UEFI specification was released on 7 January 2007. It added cryptography, network authentication and the User Interface Architecture (Human Interface Infrastructure in UEFI). The latest UEFI specification, version 2.7, was approved in May 2017.[11]

Re:Perspective

[Known+Nutter]

Microsoft doesn't have that responsibility in the PC realm.

Sure they do.

Re:Perspective

I've never had a problem running Linux or Winders on any of my Mac.

You fail Computer 101. Get educated or STFU!

Re:Perspective

[Gravis+Zero]

From TFA:

While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

But don't let that stop a good Apple ass-whoopin'... carry on.

Also from TFA:

Our research focused on the Apple Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack from hardware, through firmware, OS, and all the way up to application software and can be considered widely deployed.

This ensured that they were looking at a configuration that has one of the greatest levels of deployment. Identifying insecurities that occur in a 0.0001% of configurations isn't really productive.

Re:Perspective

Apple needs to keep its end of the bargain if it wants to tout the additional value of its vertical solution.

I'm not sure they do.

As a MBP user, I don't think I've ever heard apple advertise anything like that. They tend to advertise more towards the trendy asshole audience who cares about form over function.

I have heard plenty of people who use Macs however, indicate that as one of their strong points, that it is a great package because its end-to-end apple. and I think thats true.

But lets get to brass tacks, unless the users computer is crashing or exploitable, a firmware update is pretty much 100% worthless to 99.99999% of the population.

Attack vectors for EFI are PRETTY low, not 0, but pretty damn close. So unless there is a EFI bug that the OS can't work around, no one really gives a shit if they can't upgrade.

I started futzing with my first PC hardware in 1992 or 3, I've built probably 30 machines since then for personal use and been involved in hundreds of builds for various jobs throughout my career. I have had to upgrade the BIOS exactly once for a personal machine during that time, and VERY RARELY for business machines, and only then when it happened to be bleeding edge hardware.

TL;DR:
EFI upgrades don't fucking matter, STFU.

Re:Perspective

[thegarbz]

From TFA:

While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

But don't let that stop a good Apple ass-whoopin'... carry on.

There's a fundamental difference there. Very few windows machines are eco-system controlled. i.e. There's a metric shitload of firmware updates out there for motherboards but in general they just don't get applied, because it's not a process that is automatically handled by a single vendor through a single update system.

e.g. I put a new graphics card in my 6 year old computer recently and it failed to POST. Just before crying foul I decided to try a BIOS update. It seems that I was running release 5 of my EFI firmware. I upgraded to release 21. I neither knew nor cared about all the intermediate releases in the past 6 years.

On the flipside my Surface Pro which is a vendor managed device with a single update system seems to get EFI firmware updates every 3 months or so. It's quite obvious because the installation process of an updated EFI firmware looks very different to that of a windows patch.

Apple drops support quickly

I guess you would say this is another example of Apple simply dropping support in a way most users won't notice. I would say many PC makers also stop doing bios updates as well after a few years. Not excusing either of this but it does appear to be something not exclusive to just Mac's.

Re: Apple drops support quickly

Problem is, nobody else bills themselves as premium. You don't pay premium prices for normal level services (unless you're blinded by something)

Re:Apple drops support quickly

[Gr8Apes]

You do realize that you can download and upgrade the EFI firmware yourself, right? It's just the automated install doesn't notify you. I don't disagree that's a bug, but is it a "problem"?

Another PRO feature

[axettone]

Locked hardware, leak of support, 1 year only hardware warranty, higher prices. Thatâ(TM)s Apple.

Company is a bunch of hacks

Duo is a bunch of hacks. Interviewed there and was penalized when getting the correct C++ answer because the interviewer was offended I found another valid way to solve his problem. Because my solution was simpler than his, he was so offended they never called me back.

They have a hatred of the guys who work on GRSec kernels and after mentioning in the interview I used those in the past, they were dead set against me. Get that, a security company upset someone knows GRSec and C++ openssh programming.

They have one smart dude who does this type of work and the rest just piggyback to try to make the company look good. I'm half tempted in my spare time to write an openssh SMS verification plugin and open source it to put them out of business. Some day when I get some spare time.

Any impact

[craigminah]

Has this negatively impacted users or present a vector for hackers that has been exploited?

Obsolescence built in - by design

It's Apple's way to call you out as a peasant and strongly encourage you to buy a new machine. They've been doing this since the 1980s. Consider them the masters the rest wish they were.

Happy Friday from The Golden Girls!

[sexconker]

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Friday from The Golden Girls!

[SteveR]

lol, "cosmonaut"

Pretty sure its "confidante".

Re:Happy Friday from The Golden Girls!

[sexconker]

That's the joke.

Time to open up your wallets

[Billly+Gates]

It's time to upgrade again and throw out your glued in batteries and ssds for a new system

Re:Time to open up your wallets

So buy a Chromebook you say?

I thought you liked Google, cupcake?

How critical is UEFI on Macs vs PCs

[Billly+Gates]

I still use a haswel i7 at home and needed to replace a damaged board. All the popular MSI, Gigabyte, and Asus boards with 97 stopped being updated with new EFI.

I googled for Windows 10 compability and use the latest 2015 UEFI flashes.

Do Macs need them updated or tied to specific releases of MacOSX?

Apple EFI has update hiccups. Who else does?

Not sure this is solely an apple issue. Does anybody have any knowledge of EFI update issues across the industry they might share?

Re:Only LUDDITES use EFI.

your mom

Re:Only LUDDITES use EFI.

your dad

How to check?

So...

How do I check if I am using the latest EFI firmware for my mac?

I can see what version I"m using, but the only Apple support page showing version numbers that I could find stopped at 2014 models.

When you choose freedom you will have it.

[jbn-o]

Apple's users need to declare their independence from dependence on Apple and switch to free software OSes running on hardware they own. The same is true for independence from any proprietor.

You will never get the control over your own damn equipment you seek so long as you do business with proprietors (Apple, Google, Microsoft, etc.). Like I've said so many times before on /., the themes of the articles here are the same and so are the fixes you can implement today: software freedom is a good unto itself because it helps grant you the independence and true ownership you seek, running free software on hardware you can fully own is the best currently viable way to get the independence you seek. The rest is a matter of political will—are you willing to change your system and hardware so you can have the best available hardware and software that respects your freedom? Wishing and hoping achieve nothing, real change requires political action.

I recommend perusing the GNU Project's list of free distros and the Free Software Foundation's "Respects Your Freedom" hardware list.

Re: When you choose freedom you will have it.

Oh big yawn. The reason I buy Apple hardware is because it runs OS X, which is pretty much as good as Linux at the back end along with some damn great enduser applications. You can keep old cheap PCs around with Linux for backoffice stuff (mail server, file server, cloud server, etc)

How do you know....

[Radical+Moderate]

...if your firmware's up to date? I can find the version of the firmware that's installed. What I can't find is anything documenting what the latest version for my Mac is. Apple's support site is a joke.

Re:How do you know....

[rcharbon]

Newest thing I found only covers devices up to 2014: https://support.apple.com/en-u...

Buy your own copy of IDA Pro.

[tlambert]

Give me the source code of the firmware, and allow me to install an upgraded version in my own time.

Buy your own copy of IDA Pro.

You now have the source code for the firmware.

You don't know how to program in assembly language?

Are you sure you are actually a programmer?

Microsoft has a lot to answer for.

[JustNiz]

The length of time that some system has not been updated does not alone provide a good metric as to how secure it actually is or isn't. Its certainly a mistake to judge the invulnerability of some system just by when it was last updated, which seems to be what the article is doing.

It was Microsoft who managed to brainwash the world into thinking that weekly/monthly updates are just some normal aspect of all computer systems. prior to then, it was not unusual for updates for professional OS's (SunOS, HPUX, Solaris, VMS etc) to be more like years apart.
A high frequency of updates is absolutely necessary if you're running a fundamentally crappily-designed OS like Windows, but let's not paint all things with the same brush.

That said, I do agree that Apple should release updates every time a new exploit (EFI or otherwise) is identified, which the article also clearly mentions just isn't happening.

Re:Microsoft has a lot to answer for.

Even the article summary mentions years-old EFI vulnerabilities that are not patched. No one is calling this a problem because the firmware is merely old. They're calling it a problem because Apple is either not issuing updates to resolve known vulnerabilities or is allowing those updates to fail and not notifying the user.

EFI bugs are important...

[tlambert]

Not like anyone even bothers, any bugs in UEFI are only important if you have access to the hardware.

EFI bugs are important...

But only to 64 bit Linux users, who haven't commented out the call to ExitBootServices() which 64 bit Linux insists on making.

The bug, which exists in Intel's EFI/UEFI reference implementation build system, occurs due to not marking a section of one static library as "required by runtime services".

Apple EFI implementations have the bug; so do many other companies.

We fixed it at Google, with the help of the UEFI engineer on the H2O BIOS. Most people haven't fixed it.

So Linux people tend to get all pissy any time they can't update the EFI because they can't read disassembled assembly source and make modifications.

Re:EFI bugs are important...

[WorBlux]

Wasn't one of the big advantages of EFI that you could program a lot of the firmware in C? If you need a dissasembler to fix bugs, what's the point?

Re:EFI bugs are important...

[tlambert]

Wasn't one of the big advantages of EFI that you could program a lot of the firmware in C? If you need a dissasembler to fix bugs, what's the point?

The point is that you should not bitch about things you can fix yourself, just because it's more difficult if you've never learned assembly language.

Yes, but..

[tlambert]

but one thing I see surprisingly frequently on the Surface Pro is EFI firmware updates.

Personally I'm waiting on the security update for the last Windows XP release...

Why should it even matter?

[johannesg]

I'm a little unclear why a bootloader would ever even be in a position to become 'critical'. Either it works, in which case the machine works and a real operating system takes over, or it doesn't, in which case the machine displays the ultimate in security and fails to deliver service to anyone, including malicious agents.

If bootloaders are now written to somehow be remote-hackable, we have done something very wrong.

Re:A Little More Perspective

[drinkypoo]

UEFI displaces root kits by being one. It was inevitable to find a flaw in the code.
One of the great things about running Linux is the ability to run using BIOS only.

My PC BIOS is UEFI-only, you insensitive clod!

Re:A Little More Perspective

[WorBlux]

>Begin pedantic annoyance: If it's UEFI, it's technically not BIOS anymore.