Posted on 09-29-2017 08:53 AM
Saw this on Wired and was curious if anyone has thought about addressing the issue: https://www.wired.com/story/critical-efi-code-in-millions-of-macs-is-not-getting-apple-updates
It seems like certain Macs, when installing a firmware update, don't actually install it correctly but also don't try to install it again.
This makes me think that the responsible thing to do would be to create smart groups to identify computers that don't have the latest firmware and manually push the firmware installer from Apple again.
But, the list of firmware versions by model is pretty long, and making smart groups for all that would be cumbersome. https://support.apple.com/en-us/HT201518
Has anyone else heard of this issue? Any thoughts on the ramifications? Another solution I thought of is push High Sierra to every Mac that supports it, since it is supposed to update Firmware while it installs.
Posted on 09-29-2017 09:02 AM
I think that this is something that can be adequately addressed by High Sierra, personally. I don't see this as an imminent, active threat risk.
Posted on 09-29-2017 10:16 AM
@alexjdale That depends entirely on your industry. I don't think schools are that concerned about EFI hacks that require physical access. I do think people who do governmental (contractor, grant, or whatever) work need to figure out a solution for this.
There definitely needs to be a good way to track this down and secure it. It's not as easy as "Just update to the newest OS that may potentially fix the issue." I've seen several places say that High Sierra doesn't really help the issue at all. Per Ars Technica,
The new macOS version introduces a feature called eficheck, but Duo Security researchers said they have found no evidence it warns users when they're running out-of-date EFI versions, as long as they're official ones from Apple. Instead, eficheck appears only to check if EFI firmware was issued by someone other than Apple.
So just running 10.13 doesn't seem like it will be a solution for this EFI firmware issue. We have to figure something else out.
Posted on 09-29-2017 10:44 AM
Let me rephrase: I don't think there is a better solution right now than 10.13. I don't think a manual push is going to be effective where the 10.13 installer fails to update the firmware. You're probably looking at pulling in a large number of systems for costly repair efforts if your goal is to 100% these systems, and this will be a never-ending task.
I would like to see JAMF come up with something for this along the lines of their software patch reporting, perhaps. As you mentioned, it's a lot to tackle for a sysadmin with the tools we have available.
Posted on 09-29-2017 01:35 PM
Part of the issue here is that Apple isn't publicly posting firmware updates by model any longer. The listed support article is listed as "archived" and doesn't list Mac models past 2014, and I'm not sure if those even list current firmware for those models. I'm actively looking at installed firmware by computer revision to get a glimpse into our environment, but I don't know what they should read or if we can easily remediate them...