There’s trouble in that firmware: EFI chaos

We have recently been given two glimpses into the strange and rarefied world of Mac EFI firmware. Taken together, things don’t look as good as they should be. In fact, firmware updates and versions appear to be chaotic.

The first was in a stream of tweets (since deleted) from one of the engineers working on High Sierra’s new feature which checks the EFI firmware in every Mac running High Sierra once a week. Given that Apple makes all Macs, their firmware, macOS and its updates, you might have expected Apple to know exactly what is in the firmware of every Mac, and to have ensured that those Macs are running the latest version for that model.

One reason for High Sierra checking firmware every week is to enable Apple to complete its database of all the different versions and variants of firmware running on Macs. This is because it doesn’t know what is in the firmware of every Mac, and has yet to figure out exactly which versions are still in use.

There is a problem here in the way that firmware updates are distributed. In the past, they had been supplied as separate updates as well as being bundled with operating system updates. They are now no longer supplied separately, only as part of macOS updates and upgrades.

The result is that this iMac17,1 could have any one of several different EFI versions, depending on which macOS updates and upgrades have been applied to it. If I had left it running its original system installation, El Capitan 10.11, it would still be running the original version of its firmware. It is only by installing successive macOS updates that it is currently running the latest firmware release for this model.

This is an issue which Rich Smith and Pepijn Bruienne at Duo Security have been looking at very carefully. They have matched the firmware versions of over seventy thousand Macs against their analyses of firmware updates supplied in macOS versions 10.10 to 10.12.6.

They discovered that many Macs which would be expected to be running more recent firmware are actually still running older versions. In some cases, they found Macs which, in spite of having had macOS updates and upgrades installed, have been left with their original firmware versions. This has left many Macs exposed to known EFI firmware vulnerabilities.

Although their work has been painstaking and thorough, it contains mystifying discrepancies which suggest that the real picture is even more complex. Looking again at this iMac17,1, according to their Table 10, giving the highest released versions of EFI firmware, it should be running version 0105 B20, which was supplied as part of the El Capitan updates.

firmware

Prior to upgrading to High Sierra, it was in fact running version 0105 B26, which is a more recent version installed by one of the later Sierra updates. Now that it has been upgraded, it is running version 0110 B00. I have tried in vain to discover Apple’s official line on which is the latest firmware version for this model: as you might have expected, Apple doesn’t seem to release that information, nor does it or its installers ever inform the user when a firmware update is due, or is successfully installed.

efihighsierra

I think that it’s excellent that Apple is now starting to look into these firmware issues. Just as Macs running all recent versions of macOS / OS X should get software security patches appropriate to those versions, shouldn’t they also get firmware updates to address known vulnerabilities?

However, this exposes a flaw in Apple’s current method of distributing and installing firmware updates. If I had not upgraded this iMac to Sierra 10.12.6, it would apparently still be running version 0105 B20; if I had not upgraded it to High Sierra, it would still be running version 0105 B26. Delivering EFI firmware updates is proving to be unreliable, and is leaving users vulnerable. What’s more, Smith and Bruienne’s study shows that some users who do install the latest macOS updates still don’t seem to get their firmware properly updated.

Duo first made Apple aware of these issues over three months ago. I don’t see any response from Apple, other than generic advice to upgrade to High Sierra – which continues to distribute and apply firmware updates by the same flawed mechanism, leaving some Macs exposed to vulnerabilities.

While we wait for Apple to decide what it’s going to do about updating EFI firmware, what can you do to ensure that your firmware is fully up to date?

First, check the firmware version shown in the Hardware Overview section of System Information against the version number listed in Table 10 of Duo’s report. If yours is higher than or equals that listed, it is more recent and therefore should have known vulnerabilities patched.

If your Mac has a lower version number than expected, bring it up to date with the latest version of macOS which you can safely run. If you don’t want to upgrade to Sierra or High Sierra, then download and install the last Combo updater for its major version from Apple support. So if you’re still running any version of Sierra, install the Combo updater to take it to 10.12.6. Then check the firmware version again.

If you can, consider upgrading to High Sierra, which should install new firmware on every Mac.

If none of these works, contact Apple support or your nearest Genius Bar.