Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical EFI Code in Millions of Macs Isn't Getting Apple's Updates (wired.com)

Posted by msmash on from the security-woes dept.

Andy Greenberg, writing for Wired:At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

56 of 91 comments (clear)

  1. Re:Only LUDDITES use EFI. by aicrules · · Score: 1

    That was a pretty weak attempt at emulating the Luddites App spam post...

  2. When will be free of the Overlords? by Anonymous Coward · · Score: 3, Insightful

    Just give us control over our own damn equipment! Let us form our own communities that will service these machines as necessary.

    Why is everything shrouded in a goddamn fucking mystery? WHY?!

    1. Re:When will be free of the Overlords? by Anonymous Coward · · Score: 1

      So Apple can continue to use the words "Magical" and "Revolutionary" at their press conferences.

    2. Re:When will be free of the Overlords? by DontBeAMoran · · Score: 2

      No, that was the Steve Jobs' era.

      Under Tim Cook, it's "courage" and "wait until you see what we have in the future".

      Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

      --
      #DeleteFacebook
    3. Re:When will be free of the Overlords? by mattgoldey · · Score: 1

      Same. I want a mini but don't want to buy 4 year old hardware.

    4. Re:When will be free of the Overlords? by erapert · · Score: 1

      Because fools continue to buy and support proprietary hardware and software.

    5. Re:When will be free of the Overlords? by Ungrounded+Lightning · · Score: 2

      Why is everything shrouded in a goddamn fucking mystery? WHY?!

      To make it harder for ordinary citizens to identify, work around, or replace the spyware/controlware built into the core of their machines.

      At least Intel and AMD admit it's there.

      (Of course that's because they sell some access to it as a feature, to corporate IT departments, who use it for remote administration and monitoring of their companies' computing infrastructure and individual users.)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    6. Re:When will be free of the Overlords? by TheFakeTimCook · · Score: 1

      I'd love a 2017 mac min update... we can all hope.

      Almost assuredly in 2018, along with the Modular Mac Pro.

    7. Re:When will be free of the Overlords? by dgatwood · · Score: 2

      Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

      No, the last actual Mac Mini was Macmini6,2 (2012). The 2-core 2014 "Mini" was Apple Hardware Engineering's idea of a great practical joke.

      (Thanks, Intel, for using a different pinout for your four-core Haswell chips, making it financially infeasible for Apple to build both a low-end Mini and a decent Mini with the same logic board design. I blame you for my servers being half a decade old and counting.)

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    8. Re:When will be free of the Overlords? by infolation · · Score: 2

      Then let it be known that the macbook1,1 and 2,1 can run libreboot instead of EFI.

    9. Re: When will be free of the Overlords? by dgatwood · · Score: 1

      The Mac Mini had relatively low sales volume, mostly concentrated at the low end. Sure, they could have designed two different versions of the motherboard, but the additional sales would likely not have covered the extra R&D expense, much less the impact of pulling engineers off of other products (with orders of magnitude higher sales volume) to work on it.

      Additionally, I suspect they hoped that the low-end versions of the trashcan Mac Pro would reduce the call for high-end Mini hardware. That has not happened, for a number of reasons (size, cost, and lack of storage being the big ones), but I think that was the working theory at the time.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    10. Re: When will be free of the Overlords? by Anonymous Coward · · Score: 1

      Yet you blame Intel because the wildly profitable Apple didn't find it profitable to make the machine you want.

      Stop and think about it. If its ANYONES fault, its Apple's fault.

    11. Re:When will be free of the Overlords? by AHuxley · · Score: 1

      AC if people have control then the security services have to work harder.
      "New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs" (3/24/2017)
      https://arstechnica.com/inform...
      DarkSeaSkies, DarkMatter (EFI injection), SeaPea (kernel access), NightSkies (key logging).
      Think of all the computers that got the security services package that might still exist.
      Going back and having users globally create reports and publish their strange and unexpected results.
      Best just to have later hardware looked at that is all clean and no unexpected reports will surface.

      --
      Domestic spying is now "Benign Information Gathering"
    12. Re: When will be free of the Overlords? by dgatwood · · Score: 1

      Yet you blame Intel because the wildly profitable Apple didn't find it profitable to make the machine you want.

      I blame Intel because they used the same pinout for 4-core laptop CPUs as for 2-core in every generation of laptop chip prior to Haswell, and I think in every generation after it as well (except possibly the Broadwell die shrink). Somebody at Intel apparently said, "Oh, it doesn't really matter because laptop boards are all one-offs anyway and nobody upgrades laptop CPUs", and then found out the hard way why they were wrong.

      I blame Intel because they could very easily have made their chips pin-compatible for almost no difference in R&D or manufacturing cost, and distributed that tiny cost across hundreds of millions of units, whereas the cost of building and certifying a new motherboard design is huge, and cannot be easily distributed across the much smaller profit from a single model of computer.

      Look, I'm the first person to give Apple a hard time when they screw up (just look at some of my rants over the years, and you'll see what I mean). And I do agree that they screwed up by not biting the bullet and building a four-core model anyway. That said, it would have been trivial for Intel to do it right, and it would have been several orders of magnitude more expensive per unit for Apple to work around their design screw-up. So I don't blame them for telling Intel, "Screw it. We'll pick up your four-core chips again in Kaby." I'm just hoping they get around to picking back up the four-core chips in Kaby Lake (or, ideally, they could make it a point for the next Mini to *not* be an entire generation behind for once, and wait to ship a four-core Mini with Coffee Lake, but I'm not holding my breath).

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    13. Re:When will be free of the Overlords? by MoarSauce123 · · Score: 1

      Especially when it comes at a price that is four times as much as the sum of the off the shelf parts.

    14. Re: When will be free of the Overlords? by WorBlux · · Score: 1

      Both form factors suck. Admit that thunderbolt isn't quite right for the professional, and introduce an ATX and micro-ATX form factor alongside the mini, with Xeon E5, E3, and pentium respectively.

  3. Why does one need to depend on Apple, anyway? by Anonymous Coward · · Score: 2, Interesting

    If Apple doesn't want to throw resources at it, then fine.

    But why can't I throw resources at it? Give me the source code of the firmware, and allow me to install an upgraded version in my own time.

    1. Re:Why does one need to depend on Apple, anyway? by DontBeAMoran · · Score: 3, Funny

      Here's the source for everything:
      0
      1

      --
      #DeleteFacebook
    2. Re:Why does one need to depend on Apple, anyway? by guruevi · · Score: 1

      You can, there is TianoCore, Libreboot, Coreboot.

      Not like anyone even bothers, any bugs in UEFI are only important if you have access to the hardware.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  4. Say what you will about MS by thegarbz · · Score: 1

    but one thing I see surprisingly frequently on the Surface Pro is EFI firmware updates.

    That can be seen as a good thing and a bad thing. One would hope these are feature updates and not such a long list of critical vulnerabilities but .... Microsoft.

    1. Re:Say what you will about MS by 110010001000 · · Score: 1

      Probably the NSA provides updates to MS frequently.

  5. Re:Not a big deal. by SQLGuru · · Score: 1

    You'd be surprised at how many computers you can get physical access to without much effort........some of which control or can get access to more things than you realize.

  6. Perspective by Known+Nutter · · Score: 5, Informative
    From TFA:

    While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

    But don't let that stop a good Apple ass-whoopin'... carry on.

    --
    Beware of the Leopard.
    1. Re:Perspective by Anonymous Coward · · Score: 2, Informative

      Except in the Linux and Windows world you can update your BIOS (which is all EFI is, a special Apple-only BIOS intended to block people from running Linux on Apple hardware) yourself.

      Wow, you have no idea what you are talking about, do you?

      Unified Extensible Firmware Interface: History

      The original motivation for EFI came during early development of the first Intel–HP Itanium systems in the mid-1990s. BIOS limitations (such as 16-bit processor mode, 1 MB addressable space and PC AT hardware) had become too restrictive for the larger server platforms Itanium was targeting.[6] The effort to address these concerns began in 1998 and was initially called Intel Boot Initiative.[7] It was later renamed to Extensible Firmware Interface (EFI).[8][9]

      In July 2005, Intel ceased its development of the EFI specification at version 1.10, and contributed it to the Unified EFI Forum, which has developed the specification as the Unified Extensible Firmware Interface (UEFI). The original EFI specification remains owned by Intel, which exclusively provides licenses for EFI-based products, but the UEFI specification is owned by the Forum.[6][10]

      Version 2.1 of the UEFI specification was released on 7 January 2007. It added cryptography, network authentication and the User Interface Architecture (Human Interface Infrastructure in UEFI). The latest UEFI specification, version 2.7, was approved in May 2017.[11]

    2. Re:Perspective by Known+Nutter · · Score: 1

      Microsoft doesn't have that responsibility in the PC realm.

      Sure they do.

      --
      Beware of the Leopard.
    3. Re:Perspective by Gravis+Zero · · Score: 1

      From TFA:

      While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

      But don't let that stop a good Apple ass-whoopin'... carry on.

      Also from TFA:

      Our research focused on the Apple Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack from hardware, through firmware, OS, and all the way up to application software and can be considered widely deployed.

      This ensured that they were looking at a configuration that has one of the greatest levels of deployment. Identifying insecurities that occur in a 0.0001% of configurations isn't really productive.

      --
      Anons need not reply. Questions end with a question mark.
    4. Re:Perspective by thegarbz · · Score: 1

      From TFA:

      While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

      But don't let that stop a good Apple ass-whoopin'... carry on.

      There's a fundamental difference there. Very few windows machines are eco-system controlled. i.e. There's a metric shitload of firmware updates out there for motherboards but in general they just don't get applied, because it's not a process that is automatically handled by a single vendor through a single update system.

      e.g. I put a new graphics card in my 6 year old computer recently and it failed to POST. Just before crying foul I decided to try a BIOS update. It seems that I was running release 5 of my EFI firmware. I upgraded to release 21. I neither knew nor cared about all the intermediate releases in the past 6 years.

      On the flipside my Surface Pro which is a vendor managed device with a single update system seems to get EFI firmware updates every 3 months or so. It's quite obvious because the installation process of an updated EFI firmware looks very different to that of a windows patch.

  7. Apple drops support quickly by Anonymous Coward · · Score: 1

    I guess you would say this is another example of Apple simply dropping support in a way most users won't notice. I would say many PC makers also stop doing bios updates as well after a few years. Not excusing either of this but it does appear to be something not exclusive to just Mac's.

    1. Re:Apple drops support quickly by Gr8Apes · · Score: 1

      You do realize that you can download and upgrade the EFI firmware yourself, right? It's just the automated install doesn't notify you. I don't disagree that's a bug, but is it a "problem"?

      --
      The cesspool just got a check and balance.
  8. Re:Apple's solution by Mordaximus · · Score: 4, Insightful

    Apple's solution is probably "buy a new Mac". Tim Cook said himself that Apple products are not for the rich so buying another $1000+ computer every year or two shouldn't be a problem for anyone.

    Next up: Tim Cook doesn't understand the meaning of "rich" compared to the rest of the population.

    Except that the people who upgrade their Macs every year or two are few and far between. Apple knows this well. That said, TFA even mentions the EFI update failed on certain percentages of NEWER systems, like the 2-16 MacBook. To wit: " And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates."

    This doesn't sound nefarious to me, it sounds more like there's a hiccup in the update process, which thankfully doesn't render the system a brick when it fails. Naturally something that needs to be addressed though.

    For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

  9. Another PRO feature by axettone · · Score: 1

    Locked hardware, leak of support, 1 year only hardware warranty, higher prices. Thatâ(TM)s Apple.

  10. Re:Why did you bother writing that reply? Why?!? by Anonymous Coward · · Score: 3, Funny

    He was just giving his two bits

  11. Any impact by craigminah · · Score: 2

    Has this negatively impacted users or present a vector for hackers that has been exploited?

  12. Re:Apple's solution by DontBeAMoran · · Score: 1

    For what it's worth, my posts are made from a 2010 Mac mini, which in the past seven years had its RAM upgraded twice (from 2GB to 8GB, then to 16GB) and hard drives upgraded twice too (from 320GB to 750GB, then dropped the optical drive to add an SSD).

    --
    #DeleteFacebook
  13. Time to open up your wallets by Billly+Gates · · Score: 1

    It's time to upgrade again and throw out your glued in batteries and ssds for a new system

    --
    http://saveie6.com/
  14. How critical is UEFI on Macs vs PCs by Billly+Gates · · Score: 1

    I still use a haswel i7 at home and needed to replace a damaged board. All the popular MSI, Gigabyte, and Asus boards with 97 stopped being updated with new EFI.

    I googled for Windows 10 compability and use the latest 2015 UEFI flashes.

    Do Macs need them updated or tied to specific releases of MacOSX?

    --
    http://saveie6.com/
  15. Re:Apple's solution by TheFakeTimCook · · Score: 1

    For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

    I second this!

    My newest Apple Computer is a 2012 nrMacBook Pro with a spinning-rust HD (that hasn't failed yet). It looks and works exactly the same as when I bought it in May, 2013.

    Out of all of my Apple-owning friends, I don't know any that are on the "Upgrade Treadmill" that Slashtards like to constantly allude to. One did just buy a 2017 MBP, but her previous MBP was a 2009 model, and the other recent Upgrader bought himself a 2016 MBP as a retirement gift. That replaced his 2007 MBP.

    I even have a friend that still rocks a frickin' PPC G4 TiBook, and I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

  16. When you choose freedom you will have it. by jbn-o · · Score: 2

    Apple's users need to declare their independence from dependence on Apple and switch to free software OSes running on hardware they own. The same is true for independence from any proprietor.

    You will never get the control over your own damn equipment you seek so long as you do business with proprietors (Apple, Google, Microsoft, etc.). Like I've said so many times before on /., the themes of the articles here are the same and so are the fixes you can implement today: software freedom is a good unto itself because it helps grant you the independence and true ownership you seek, running free software on hardware you can fully own is the best currently viable way to get the independence you seek. The rest is a matter of political will—are you willing to change your system and hardware so you can have the best available hardware and software that respects your freedom? Wishing and hoping achieve nothing, real change requires political action.

    I recommend perusing the GNU Project's list of free distros and the Free Software Foundation's "Respects Your Freedom" hardware list.

    --
    Digital Citizen
  17. How do you know.... by Radical+Moderate · · Score: 1

    ...if your firmware's up to date? I can find the version of the firmware that's installed. What I can't find is anything documenting what the latest version for my Mac is. Apple's support site is a joke.

    --
    Never let a lack of data get in the way of a good rant.
    1. Re:How do you know.... by rcharbon · · Score: 1

      Newest thing I found only covers devices up to 2014: https://support.apple.com/en-u...

  18. Buy your own copy of IDA Pro. by tlambert · · Score: 1

    Give me the source code of the firmware, and allow me to install an upgraded version in my own time.

    Buy your own copy of IDA Pro.

    You now have the source code for the firmware.

    You don't know how to program in assembly language?

    Are you sure you are actually a programmer?

  19. Microsoft has a lot to answer for. by JustNiz · · Score: 2

    The length of time that some system has not been updated does not alone provide a good metric as to how secure it actually is or isn't. Its certainly a mistake to judge the invulnerability of some system just by when it was last updated, which seems to be what the article is doing.

    It was Microsoft who managed to brainwash the world into thinking that weekly/monthly updates are just some normal aspect of all computer systems. prior to then, it was not unusual for updates for professional OS's (SunOS, HPUX, Solaris, VMS etc) to be more like years apart.
    A high frequency of updates is absolutely necessary if you're running a fundamentally crappily-designed OS like Windows, but let's not paint all things with the same brush.

    That said, I do agree that Apple should release updates every time a new exploit (EFI or otherwise) is identified, which the article also clearly mentions just isn't happening.

  20. EFI bugs are important... by tlambert · · Score: 1

    Not like anyone even bothers, any bugs in UEFI are only important if you have access to the hardware.

    EFI bugs are important...

    But only to 64 bit Linux users, who haven't commented out the call to ExitBootServices() which 64 bit Linux insists on making.

    The bug, which exists in Intel's EFI/UEFI reference implementation build system, occurs due to not marking a section of one static library as "required by runtime services".

    Apple EFI implementations have the bug; so do many other companies.

    We fixed it at Google, with the help of the UEFI engineer on the H2O BIOS. Most people haven't fixed it.

    So Linux people tend to get all pissy any time they can't update the EFI because they can't read disassembled assembly source and make modifications.

    1. Re:EFI bugs are important... by WorBlux · · Score: 1

      Wasn't one of the big advantages of EFI that you could program a lot of the firmware in C? If you need a dissasembler to fix bugs, what's the point?

    2. Re:EFI bugs are important... by tlambert · · Score: 1

      Wasn't one of the big advantages of EFI that you could program a lot of the firmware in C? If you need a dissasembler to fix bugs, what's the point?

      The point is that you should not bitch about things you can fix yourself, just because it's more difficult if you've never learned assembly language.

  21. Yes, but.. by tlambert · · Score: 1

    but one thing I see surprisingly frequently on the Surface Pro is EFI firmware updates.

    Personally I'm waiting on the security update for the last Windows XP release...

  22. Re:Happy Friday from The Golden Girls! by SteveR · · Score: 1

    lol, "cosmonaut"

    Pretty sure its "confidante".

  23. Re:Apple's solution by DontBeAMoran · · Score: 1

    Nope, mid-2010 Mac mini. Officially the maximum is 8GB because when it was released the biggest SODIMMs available were 4GB. After an EFI update, the maximum went up to 16GB.

    --
    #DeleteFacebook
  24. Why should it even matter? by johannesg · · Score: 1

    I'm a little unclear why a bootloader would ever even be in a position to become 'critical'. Either it works, in which case the machine works and a real operating system takes over, or it doesn't, in which case the machine displays the ultimate in security and fails to deliver service to anyone, including malicious agents.

    If bootloaders are now written to somehow be remote-hackable, we have done something very wrong.

  25. Re:A Little More Perspective by drinkypoo · · Score: 1

    UEFI displaces root kits by being one. It was inevitable to find a flaw in the code.
    One of the great things about running Linux is the ability to run using BIOS only.

    My PC BIOS is UEFI-only, you insensitive clod!

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  26. Re:Apple's solution by Gr8Apes · · Score: 1

    2012 mini and pro for sure. MacBook Pros are 2016.

    --
    The cesspool just got a check and balance.
  27. Re:Apple's solution by Gr8Apes · · Score: 1

    However, you need to buy very very specific RAM for the 2010 - PC3-8500 CL7 DIMMs for stable 16GB operation. Oh, and mine is at the current EFI level for that platform, as are my other systems. I checked them all.

    --
    The cesspool just got a check and balance.
  28. Re:Apple's solution by Gr8Apes · · Score: 1

    I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

    A 2010 mini used to do that for me, at a fraction of your power draw. It used to serve as my HTPC as well. Now it's a 2012 quad i7 to handle all that and more.

    --
    The cesspool just got a check and balance.
  29. Re:Happy Friday from The Golden Girls! by sexconker · · Score: 1

    That's the joke.

  30. Re:A Little More Perspective by WorBlux · · Score: 1

    >Begin pedantic annoyance: If it's UEFI, it's technically not BIOS anymore.

  31. Re:Apple's solution by TheFakeTimCook · · Score: 1

    I run a 2005 G5 Tower at home as a Surveillance, FTP, and iTunes Server, FFS!!!

    A 2010 mini used to do that for me, at a fraction of your power draw. It used to serve as my HTPC as well. Now it's a 2012 quad i7 to handle all that and more.

    I would have loved to do that with a mini, and in fact, I spec'ed a 2010 mini to do just that for a friend of mine. Still working quite nicely, too. But The G5 Tower was just languishing, having been replaced by my 2012 nrMBP as my "daily driver", and I didn't want to spend the coin on a mini for a non-essential function.