Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical EFI Code in Millions of Macs Isn't Getting Apple's Updates (wired.com)

Posted by msmash on from the security-woes dept.

Andy Greenberg, writing for Wired:At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

14 of 91 comments (clear)

  1. When will be free of the Overlords? by Anonymous Coward · · Score: 3, Insightful

    Just give us control over our own damn equipment! Let us form our own communities that will service these machines as necessary.

    Why is everything shrouded in a goddamn fucking mystery? WHY?!

    1. Re:When will be free of the Overlords? by DontBeAMoran · · Score: 2

      No, that was the Steve Jobs' era.

      Under Tim Cook, it's "courage" and "wait until you see what we have in the future".

      Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

      --
      #DeleteFacebook
    2. Re:When will be free of the Overlords? by Ungrounded+Lightning · · Score: 2

      Why is everything shrouded in a goddamn fucking mystery? WHY?!

      To make it harder for ordinary citizens to identify, work around, or replace the spyware/controlware built into the core of their machines.

      At least Intel and AMD admit it's there.

      (Of course that's because they sell some access to it as a feature, to corporate IT departments, who use it for remote administration and monitoring of their companies' computing infrastructure and individual users.)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    3. Re:When will be free of the Overlords? by dgatwood · · Score: 2

      Problem is, I'm still using my 2010 Mac mini here and looking at the 2014 Mac mini, which is still the latest Mac mini model by the way, the future scares me.

      No, the last actual Mac Mini was Macmini6,2 (2012). The 2-core 2014 "Mini" was Apple Hardware Engineering's idea of a great practical joke.

      (Thanks, Intel, for using a different pinout for your four-core Haswell chips, making it financially infeasible for Apple to build both a low-end Mini and a decent Mini with the same logic board design. I blame you for my servers being half a decade old and counting.)

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:When will be free of the Overlords? by infolation · · Score: 2

      Then let it be known that the macbook1,1 and 2,1 can run libreboot instead of EFI.

  2. Why does one need to depend on Apple, anyway? by Anonymous Coward · · Score: 2, Interesting

    If Apple doesn't want to throw resources at it, then fine.

    But why can't I throw resources at it? Give me the source code of the firmware, and allow me to install an upgraded version in my own time.

    1. Re:Why does one need to depend on Apple, anyway? by DontBeAMoran · · Score: 3, Funny

      Here's the source for everything:
      0
      1

      --
      #DeleteFacebook
  3. Perspective by Known+Nutter · · Score: 5, Informative
    From TFA:

    While its research paper is focused on Apple, Duo Security said the same if not worse EFI issues likely affect PCs running Windows or Linux.

    But don't let that stop a good Apple ass-whoopin'... carry on.

    --
    Beware of the Leopard.
    1. Re:Perspective by Anonymous Coward · · Score: 2, Informative

      Except in the Linux and Windows world you can update your BIOS (which is all EFI is, a special Apple-only BIOS intended to block people from running Linux on Apple hardware) yourself.

      Wow, you have no idea what you are talking about, do you?

      Unified Extensible Firmware Interface: History

      The original motivation for EFI came during early development of the first Intel–HP Itanium systems in the mid-1990s. BIOS limitations (such as 16-bit processor mode, 1 MB addressable space and PC AT hardware) had become too restrictive for the larger server platforms Itanium was targeting.[6] The effort to address these concerns began in 1998 and was initially called Intel Boot Initiative.[7] It was later renamed to Extensible Firmware Interface (EFI).[8][9]

      In July 2005, Intel ceased its development of the EFI specification at version 1.10, and contributed it to the Unified EFI Forum, which has developed the specification as the Unified Extensible Firmware Interface (UEFI). The original EFI specification remains owned by Intel, which exclusively provides licenses for EFI-based products, but the UEFI specification is owned by the Forum.[6][10]

      Version 2.1 of the UEFI specification was released on 7 January 2007. It added cryptography, network authentication and the User Interface Architecture (Human Interface Infrastructure in UEFI). The latest UEFI specification, version 2.7, was approved in May 2017.[11]

  4. Re:Apple's solution by Mordaximus · · Score: 4, Insightful

    Apple's solution is probably "buy a new Mac". Tim Cook said himself that Apple products are not for the rich so buying another $1000+ computer every year or two shouldn't be a problem for anyone.

    Next up: Tim Cook doesn't understand the meaning of "rich" compared to the rest of the population.

    Except that the people who upgrade their Macs every year or two are few and far between. Apple knows this well. That said, TFA even mentions the EFI update failed on certain percentages of NEWER systems, like the 2-16 MacBook. To wit: " And three versions of the 2016 Macbook Pro had the wrong EFI version for their operating system version in 25% to 35% of cases, suggesting they too had serious EFI update failure rates."

    This doesn't sound nefarious to me, it sounds more like there's a hiccup in the update process, which thankfully doesn't render the system a brick when it fails. Naturally something that needs to be addressed though.

    For what it's worth, I'm happily working away on a 2011 iMac, which in the past 6 years has only had one problem, a failed hard drive. This was a recent, and certainly not unexpected failure. Anecdotal for sure, but this is the case for most people I know who own a Mac as well. It's also the reason they (and I) will purchase a new one when the time is right. I know it's trendy to blindly bash on Apple though.

  5. Re:Why did you bother writing that reply? Why?!? by Anonymous Coward · · Score: 3, Funny

    He was just giving his two bits

  6. Any impact by craigminah · · Score: 2

    Has this negatively impacted users or present a vector for hackers that has been exploited?

  7. When you choose freedom you will have it. by jbn-o · · Score: 2

    Apple's users need to declare their independence from dependence on Apple and switch to free software OSes running on hardware they own. The same is true for independence from any proprietor.

    You will never get the control over your own damn equipment you seek so long as you do business with proprietors (Apple, Google, Microsoft, etc.). Like I've said so many times before on /., the themes of the articles here are the same and so are the fixes you can implement today: software freedom is a good unto itself because it helps grant you the independence and true ownership you seek, running free software on hardware you can fully own is the best currently viable way to get the independence you seek. The rest is a matter of political will—are you willing to change your system and hardware so you can have the best available hardware and software that respects your freedom? Wishing and hoping achieve nothing, real change requires political action.

    I recommend perusing the GNU Project's list of free distros and the Free Software Foundation's "Respects Your Freedom" hardware list.

    --
    Digital Citizen
  8. Microsoft has a lot to answer for. by JustNiz · · Score: 2

    The length of time that some system has not been updated does not alone provide a good metric as to how secure it actually is or isn't. Its certainly a mistake to judge the invulnerability of some system just by when it was last updated, which seems to be what the article is doing.

    It was Microsoft who managed to brainwash the world into thinking that weekly/monthly updates are just some normal aspect of all computer systems. prior to then, it was not unusual for updates for professional OS's (SunOS, HPUX, Solaris, VMS etc) to be more like years apart.
    A high frequency of updates is absolutely necessary if you're running a fundamentally crappily-designed OS like Windows, but let's not paint all things with the same brush.

    That said, I do agree that Apple should release updates every time a new exploit (EFI or otherwise) is identified, which the article also clearly mentions just isn't happening.