nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Apple Mac fans told: Something smells EFI in your firmware

Silver badge

EFI updates are delivered alongside OS updates... The problem I've noticed is if you skip a point update, it may not get installed when you later install a combo update.

I've had to manually download the point update with the EFI update in question, extract the EFI update, and manually run it.

8
1

EFI updates are delivered alongside OS updates...

That's what I thought. So if you install the updates in order, your EFI firmware should be fine.

3
2
Silver badge

And it's nearly impossible to do this

If I leave my Mac turned off or not connected to the internet for a week or two, I'll miss a point update.

If I delay an update for a couple of weeks because I'm in the middle of something, I'll miss a point update.

If I go on holiday...

None of these things should matter because I should get all the updates next time. That's the whole point of automatic updates!

9
0
Silver badge

Combo updates are there precisely if you skip one or more point updates but it looks like they don't carry the EFI updates.

I just checked my 2012 MBP. An EFI update which came out two years ago is missing, yet I'm running Sierra.

0
2
Silver badge
FAIL

Obviously downvoted because Apple's patching doesn't work.

Guess what. I downloaded the manual EFI patch and it needs 10.9.5. Just that version, nothing else.

Apple dropped the ball with EFI updates.

0
0
Silver badge

Mostly, I'm just amazed there's 70,000 Macs in use in Enterprise environments.

12
26
Silver badge

I really wondered how they got access to that many Mac computers "legally"... I didn't see anything about "Enterprise" in the article.

1
1
Silver badge

A cloud-managed network (e.g. Cisco Meraki) would be able to provide anonymised version information on all kinds of things without having to actually interfere with a customer's network.

4
1
Silver badge

"Creatives". People who think Adobe Illustrator is an IDE and HTML is a programming language. This isn't new: a couple of decades they would have been doing the same thing in Quark Xpress.

11
19
Silver badge

A Mac is: the UNIX laptop that's durable, supported for a prolonged period, readily available in bulk everywhere in the world, and safe to base a fleet on because it or the next model will still be available next year. As a result they're ubiquitous across Silicon Valley.

32
15
Silver badge

"Creatives". People who think Adobe Illustrator is an IDE and HTML is a programming language.

What does that have to do with firmware updates?

19
1
Silver badge

"As a result they're ubiquitous across Silicon Valley."

No, they're common there because apple is still seen as cool and trendy, nothing to do with it being Unix. The sort of people who want a proper unix laptop, ie not locked down (yet), doesn't use non portable niche Objective-C for system programming, differentiates by default between upper and lowercase in the file system, has X windows as default graphics system (yes that is a plus point for many people) and a usable GUI: not the archaic Finder bar with menu options scattered at random between Finder and the application windows, will just install Linux or *BSD.

19
18
Silver badge

re: What does that have to do with firmware updates?

The OP was wondering what all those Macs were doing at "Enterprise" sites.

1
1
Silver badge

@boltar

Trust me, the people who are actually paid to keep 10,000 employees in laptops have little emotional attachment to each machine. They just like to be able to stockpile them, swap them at a moment's notice, or even authorise a travelling employee to replace their own with a quick trip to the High Street.

They're probably also aware that Objective-C has never been a systems language and isn't even the thing people use for UI development now. It is frustrating that Apple has its own language for UI development perhaps, but given that the alternatives are C# (Windows), Java/Kotlin (Android), C++ with a custom preprocessor (Qt), C (GTK), there's no trend being bucked.

Apple's system languages of choice are C and C++. You can observe this from the open source kernel, or anything else Apple has ever open sourced. Such as their kernel. Or the Clang compiler.

I have never before heard somebody simultaneously try to argue that randomised menu scattering is a bad thing and that X Windows is a good thing.

10
3
Bronze badge

IBM did a MASSIVE install of over 100k macs.

That is being managed by some system i forget the name of (they have a video).

but that system tracks all aspects of the macs

7
0
Orv
Silver badge

I used to use a Linux laptop for my sysadmin work. The problem is laptop hardware and Linux really don't get along, and at some point I got tired of fighting the machine I was supposed to be using to fix other broken machines. I switched to MacBooks and haven't looked back. It has a terminal emulator, it can run SSH-forwarded X-windows apps...it does what I need it to do, and it doesn't break all the time.

Trust me, after years limping along running Linux, just having a machine that would reliably resume after being suspended felt like a huge luxury.

14
6
Orv
Silver badge

They're extremely popular in higher education, and any good-sized college is enterprise scale.

9
0
Anonymous Coward

readily available in bulk everywhere in the world

Don't forget "with support everywhere in the world" - it's one of the major benefits of a Mac that there are many places where you can get help and have something fixed or even replaced. It means you have to hold very little stock in your company.

That used to be the reason we used Thinkpads, but since we switched to Macbooks and macos our per user TCO has dropped quite a bit (not just on the hardware, resource overhead costs are way down as well). If only our management wasn't addicted to Microsoft Office, but some things are just too hard to change - at least we got them to switch with a combination of cost calculations and shiny :)

9
1
Anonymous Coward

@boltar, you've never actually used a Mac in an Open Source context, have you?

A Mac is the perfect combination between a desktop that is supported by many good software providers but is not Microsoft Windows and Open Source. Macs talk Open Standards by default and support most Internet programming languages out of the box (perl, php et al). To develop on a Mac will cost you some money if you want to sell to others, but it's quite a small amount because you do not have to cough up for any software to develop for the whole Apple eco system - that is free.

My developers choose for something that allows them to get work done in an Enterprise setting, which means they need stuff that is stable and can even be replaced in full on a moment's notice. Until such time as Microsoft stops gaming the hardware world (you didn't think the PC switch from BIOS to UEFI was problematic for Linux by accident, do you?), Macs are the perfect tool to actually get any work done in a pleasant and always functional environment.

You're welcome to your "yet another PC laptop I had to hack to get Linux stable and God help me if they have not released Linux drivers" world, our guys just want to buy a machine, load up an editor and get to work. If it breaks, it takes very little time to replace the machine (anywhere in the world) and spool back their backup because they do not have any OS and firmware battles to fight along with it.

If you see Mac use as elitist, trendy and too cool for you, you're really telling me you're not able to assess facts objectively, waste time and have an attitude problem. Or, translated, hard to employ in a commercial setting.

13
8
Anonymous Coward

That is being managed by some system i forget the name of (they have a video).

The management software to go for is Snow software, a Swedish product. Some UK police forces use it to also manage their iPhones because it's very fast and secure and integrates that management with PCs and Windows architecture (its core unfortunately runs on Windows Server, which is why we had to brew our own instead - we have an explicit ban on Windows for any server based activity).

4
1
Silver badge

The problem is laptop hardware and Linux really don't get along

My local DIY store doesn't stock brushes that wide. I have two Dell and one HP laptop, all with Mint and they all resume perfectly reliably (one of the Dells resumed last week after idling for over a month) and only one of them ever required any manual jiggery pokery (PulseAudio - quelle surprise) and that was just to tweak the configuration file.

Mostly I use Win10 because mostly I'm doing something or other in Visual Studio, but if I'm working the embedded part of the stack (gcc cross compilers, Yocto) or the servers (CentOS, Ubuntu) then I'm in Linux all the time. The only thing I've seen a Mac do that won't work elsewhere is a storyboard tool (Scribble or Sketch or something like that) and that's not something I'm interested in.

9
3
Silver badge

Re: @boltar

"Apple's system languages of choice are C and C++"

Really? Well good luck doing any video or sound processing on OS/X without using any Objective-C. Yes, you have the core Posix API which is C, but everything else Apple specific system related is Obj-C.

"I have never before heard somebody simultaneously try to argue that randomised menu scattering is a bad thing and that X Windows is a good thing."

I find it amusing that in 2017 there are still people who don't understand the difference between the X server and the window manager that runs on top. Clue: The former provides the low level graphics API and networking, the latter provides the GUI. Menu scattering has the square root of bugger all to do with the X server.

4
6
Silver badge

"You're welcome to your "yet another PC laptop I had to hack to get Linux stable and God help me if they have not released Linux drivers" world"

I installed slackware 14.2 on my laptop. Everything worked first time, the only thing I needed to do was download some printer drivers. YMMV.

5
4
Silver badge

Re: @boltar

Apple has all-but deprecated Objective-C. Objective-C's only substantial surviving use in new development is that via Objective-C++ it bridges to C++ slightly more easily than does Swift, though an alternative route through C may be more desirable — one can now annotate appropriately to produce an object interface in Swift as desired; it has always been able to make plain C calls because, as mention that you are aware, Apple's Core frameworks are generally plain C.

As a daily X user it is hard not fully to be aware of the distinction, I just pointing out the juxtaposition of a claim that inconsistency is problematic and a claim that X is essential. My work machine is Ubuntu MATE but I spend a lot of time NX'd across to a RedHat machine running a distinct version of GNOME. Then Eclipse on the NX'd machine for most of the actual work. So in net I deal with a completely incoherent UI. The Mac I used in my previous job at one of the 50,000+ head Silicon Valley companies was infinitely more consistent. But you'd be an idiot to use a Mac as a back-end server, and I've experimentally switched which side I develop for, so here I am.

I've actually been a Mac user for over a decade. I think inconsistency probably peaked somewhere around 10.4 or 10.5, when you'd frequently see at least three types of window chrome just on Apple's own apps (brushed metal being the oddest detour, but unified versus non-unified toolbars ran for a while, and drawer interfaces took a while to die off). I really don't see that an open minded user would have any cause for confusion.

5
1
Orv
Silver badge

I have two Dell and one HP laptop, all with Mint and they all resume perfectly reliably (one of the Dells resumed last week after idling for over a month) and only one of them ever required any manual jiggery pokery (PulseAudio - quelle surprise) and that was just to tweak the configuration file.

I'm glad you've been so lucky. My experience has been that every install had nagging issues, and what worked from the start frequently broke after upgrades. And it's not that I'm inexperienced; I first started trying to run Linux on laptops in about 1997. (Back then you had to hand-code modelines to try to get X11R6 to drive LCD panels properly.)

I've had a lot of problems with things like WiFi failing after suspend/resume, and requiring a reboot to fix, that kind of thing. (Sound only rarely worked for me, but I didn't care about that for work purposes.) The kind of stuff you can work around in a casual context, but that quickly becomes annoying when you're trying to get work done. From what I gather, Linux's suspend/resume architecture relies on every single hardware driver properly resetting on resume, and if one of the ones your machine needs is sloppily coded, you're out of luck.

I will grant that if you manage to get everything working, then don't ever install a kernel update, it will be fairly trouble-free. But I prefer to have my machines fully patched.

2
4
Orv
Silver badge

Don't forget "with support everywhere in the world"

That's such a luxury, TBH. Someone's on a trip and they break the screen on their laptop, just send them to the nearest Apple Store. They're basically the only machines you can still get repaired in person.

3
1

> A Mac is: ... durable

Not according to my experience. These things break as often as anything else.

3
1

Linux runs on more diverse hardware than any other operating system. You have had issues with a particular model of laptop so instead of finding a well supported model (most are nowadays BTW) you switch operating systems to something that you have a game trying to compile code on for the system that will actually run it.

Most of the devs (and Sys Ops/Dev Ops guys) I know use Linux on their laptops with only the junior kids who care more about fashion that use a Mac.

Linux is a superb professional desktop environment. Solid, reliable, performant, secure and updates are seamless (you don't even need to reboot your machine to install them). If it is good enough for all of google....

7
7
Anonymous Coward

Not according to my experience. These things break as often as anything else.

It depends how you treat them. We log who breaks machines often and move them onto our inheritance list: they don't get new machines, they get the cast-offs of those who treat machines properly and so get cycled onto new machines according to our write-off model.

We would love to mark those machines as cast-offs, but that gets in the way of APple's return policy (yet another reason we use Macbook: no environmental policies to worry about - the money back is more of a bonus).

Those who dislike Apple's laptops are either unable to afford the startup costs (so it's sour grapes), or don't know how to count. The total TCO figures don't lie, especially if you're able to ditch Microsoft completely in the process.

4
4

@anonymous coward : "Until such time as Microsoft stops gaming the hardware world (you didn't think the PC switch from BIOS to UEFI was problematic for Linux by accident, do you?)"

A bit ironic that you're posting on a thread about Mac EFI firmware, and b*tching about UEFI!!

4
0

@anonymous coward - "If you see Mac use as elitist, trendy and too cool for you, you're really telling me you're not able to assess facts objectively, waste time and have an attitude problem. Or, translated, hard to employ in a commercial setting."

Or maybe boltar is a bit more commercially astute than you obviously are and sees the danger of being locked into one (high handed, expensive) supplier for both software and hardware. Does it not worry you that if Apple suddenly shifts direction and drops your preferred macbook size/type you literally have nowhere else to go! Apple: closed software + closed hardware = lock-in!

6
4
Silver badge

Re: @boltar

"it has always been able to make plain C calls because, as mention that you are aware, Apple's Core frameworks are generally plain C."

Well Carbon is deprecated and any low level C API calls are either poorly or not documented at all.

"I just pointing out the juxtaposition of a claim that inconsistency is problematic and a claim that X is essential"

They're completely seperate issues and given that with X you have a choice of half a dozen main desktops and dozens of minor ones I can't see what the issue is. Don't like Gnome? Use KDE. Don't like KDE either? Use twm. Whats the problem?

As for X networking, I'll admit its of little consequence to most users, but it is extremely useful for power users like myself to just remote excute an application that appears on my local desktop. Of course the Wayland devs are trying to convince everyone that graphics networking is irrelevant because its too hard for them to implement. They're not fooling anyone.

1
4
Silver badge

@Orv

"I've had a lot of problems with things like WiFi failing after suspend/resume, and requiring a reboot to fix,"

With linux you can unload then reload kernel modules on the fly. That generally fixes almost all driver issues that in other OSs would require a reboot.

1
1
Anonymous Coward

A bit ironic that you're posting on a thread about Mac EFI firmware, and b*tching about UEFI!!

Not really. I am one of the select few on this forum that have been using Microsoft products since PCs clones came with a turbo button, so I am very familiar with all of Microsofts machinations throughout the decennia (yes, that long). As it so happens, I am also a big fan of Open Source for simple, sound operational, financial and interoperability reasons, so I think I speak with a fair bit of experience in the matter when I say that the whole UEFI game was rather transparent for those who have seen it all before.

As for Macs, I just don't buy the holier than thou attitude that some people have against Macs if it is not based on solid arguments. We deal with a LOT of people who cut code for a living, and some use Macs and some use PC. For us, Macs work, and we can use the same environment for everyone. It makes sense from so many perspectives that it would be silly not to do it.

4
0
Anonymous Coward

Or maybe boltar is a bit more commercially astute than you obviously are and sees the danger of being locked into one (high handed, expensive) supplier for both software and hardware

Why do you think we like Open Source? We don't even use Microsoft Office (I think we have one copy for compatibility reasons). If Apple wants to change direction, fine, we can still go for PCs. I don't think so, though, because the upwards trend in Mac spending is exactly because other companies are starting to figure out what we saw some 5 years ago.

This is why we stick with COMMERCIAL reasons for a platform choice. It's based on facts. We don't care about the clubby thing other than that it's occasionally entertaining.

As for "closed" source, we found macOS integrates well with a *nix based backbone, even from an office perspective (imap/smtp/caldav/carddav/webdav). Only for SCP we had to get some software to stick a GUI on it (the command line has it built in).

4
0

@Orv

Your view is a bit challenged geographically I'm afraid. Yes, for the US I agree with you. But for universities in the EU it is PCs most of the time due to budgetary reasons. And this is not just your admin or student-writing-thesis box, but also boxes connected to really savvy kit...

2
0
Silver badge

It's "Creatives" with enough money to spend to get nice machines with nice screens, and a nice Unix based OS which isn't Slurp. Good for them.

1
1
Silver badge

Re: @boltar

"I find it amusing that in 2017 there are still people who don't understand the difference between the X server and the window manager that runs on top."

Let's be honest here. I love Linux too, but there is not much to admire about the desktop environment in Linux -regardless of distro or window manager. It's a bit of a mess. You really do need to try to force apps to comply with some common GUI rules. Luckily, most people only ever use a couple of programs -mainly a web browser and email, so it's less of a problem now than it used to be.

P.S: I suspect the poster you replied to was thinking about the overall GUI experience, rather than the actual X server. BTW, no window manager in the world can make Linux programs consistent with each other. Back in my days it just managed windows, and put some decorations and window management buttons around them. Not sure if they try to do a bit more today..

5
0
Silver badge

"would have been doing the same thing in Quark Xpress"

They WERE doing the same thing in Quark. A few years ago Quark added an HTML exporter so that your nice 200Mb EPS files could be exported as a 200Mb PNG file instead.

Bandwidth? Mobile? Pfft.

2
0

@Anonymous Coward

If you're one a "select few" then I must be one of a "very select few" who goes back way beyond turbo buttons to when clones were referred to as IBM PC clones! And that's the key here, the old PC BIOS had a design that dated all the way back to the original IBM PC - okay it had been tinkered with over the years but it was basically still a 1980's design. SO I don't get why you're b*tching about UEFI yet don't complain about EFI on Macs. Something had to be done to update the PC BIOS design and an enhanced version of EFI has been a good solution, and in spite of all the moaning and conspiracy theories when it was introduced it is supported by lots of open source OSes.

As regards the "Macs work" argument, it some how implies that PC's don't and it's hard to set up development environments under Windows or Linux. All I can say is if you find it that hard, perhaps you should consider another calling ;)

2
0
Anonymous Coward

Something had to be done to update the PC BIOS design and an enhanced version of EFI has been a good solution, and in spite of all the moaning and conspiracy theories when it was introduced it is supported by lots of open source OSes.

I am well aware of just how much work that took. That support took a LOT of reverse engineering.

As regards the "Macs work" argument, it some how implies that PC's don't and it's hard to set up development environments under Windows or Linux. All I can say is if you find it that hard, perhaps you should consider another calling ;)

Nice one :). I said "Macs work for us", so the implication lies elsewhere. I find macOS as a desktop a lot easier from a corporate perspective because I have one desktop for all, yet it is perfectly capable of supporting a Linux dev. with many corporate benefits of doing so.

Could we do the job with Linux based PCs? No doubt, but then I have two separate machine pools, with only one I have some guaranteed server model for because there's no telling what chipset the next laptop is going to have (i.e. which battles I have to fight now), unless I buy a stack of them + spares. With a Macbook I know exactly what I'll get, and it takes very little effort to load it up with the software list.

It's not hard, but it's simply more work. This ventures into the same discussion about macOS vs Windows when it comes to security: both can be secured, but the amount of effort it takes to make it secure and keep it that way differs substantially. I rather have a dev coding than tweaking desktop settings or trying to get some laptop feature to work.

0
0
Orv
Silver badge

Or maybe boltar is a bit more commercially astute than you obviously are and sees the danger of being locked into one (high handed, expensive) supplier for both software and hardware.

It's actually not that bad. Very little of our software is actually Mac-specific. A lot of it just runs better on Macs. (UNIX-y stuff like TeX and SAGE, for example, is a lot closer to the environment it expects to run on on a Mac than it is on a Windows machine. No, Cygwin is not even remotely the same thing.) The machines speak standard protocols like LDAP and SMB. If Apple vanished tomorrow we wouldn't be any worse off than we'd be if we'd gone with Windows to start with.

1
0
Orv
Silver badge

Re: @Orv

With linux you can unload then reload kernel modules on the fly. That generally fixes almost all driver issues that in other OSs would require a reboot.

Not all drivers are written to allow them to be unloaded, and not all of them can re-initialize hardware properly without a reboot. Also, having to run commands in a terminal every time I resume a machine from sleep is the kind of amateur hobbyist OS annoyance that I'm trying to get away from, so I can focus on my actual job.

Mind you, spending a few days trying to get video configured right on my laptop was great fun 20 years ago when it was my hobby. Now that I maintain Linux servers for a living, the last thing I want to do is play with it at home. Too much of a busman's holiday.

1
0

You can’t look at version numbers alone and conclude anything. I deal with driver and Firmware updates all the time in my development work. And we frequently run older versions because they are better for what we need. The patched security holes may relate to hardware options that are not used, or may be a hole already determined to lead nowhere exploitable on the Mac sytem. This can only be determined by detailed analysis. You can be sure someone in Apple is doing precisely that. I know from bitter experience, automatically jumping on the latest firmware is not the best way to ensure quality or security and rational analysis of the facts on the ground usually leads to a far more conservative decision than many would appreciate. The idea this external Security Firm can tell how secure a system is from looking at percentages of machines with firmware version x is frankly pretty unprofessional. These outfits always seem to be turning out this kind of a report in the hope of gaining publicity.

8
1
Anonymous Coward

EFI - Envisioned For Intrusion

Ah for a BIOS that had a jumper to prevent flashing.

18
6
Anonymous Coward

Well, not a jumper, but I challenge you to get any data off my Macbook or reflash its EFI without my permission or knowledge.

It's had all EFI updates applied as soon as they appeared (well, after a week's waiting time to see if any bugs showed up), it has Filevault active and (very important) it has a boot password set. Short of desoldering parts, the machine is useless and unsellable without it (another benefit of the new Macbooks - they now only have spare parts value for any thief because it's simply impossible to change ownership without the owner's active collaboration).

We now mandate Macbooks for anything to do with security and data protection because they're so easy to protect. Even the people who travel and use an external USB backup disk are safe as we encrypt that disk - that's invisible to the user unless they try to plug it in somewhere else.

5
0
Silver badge

Hackers and other ne'er-do-wells surely is spoilt rotten nowadays - they got a lot of targets to pick and choose from.

6
0
Silver badge

That's the cunning plan. Give them so many targets they get confused and give up.

Why else is IoT security so bad?

6
0
Anonymous Coward

Mac Pro

"Mac sysadmins too often ignore the importance of EFI firmware updates"

What firmware updates?? I run a Mac Pro workstation, and I have not seen an EFI update since I think the year I bought it!

I am under the impression the Apple doesn't bother issuing firmware updates for hardware than a couple of years - you are apparently supposed to be rich or stupid enough to throw away your perfectly good hardware and buy the latest model every other year.

5
9
Silver badge

Re: Mac Pro

Mine (on a 4-year-old machine) have come along with another upgrade - although some other commentard pointed out that this is not necessarily the case if you delay/ignore upgrades which would seem to be a significant problem.

6
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing