experchange > mac.system

DGB (07-07-19, 01:23 PM)
Last Week on My Mac: Useless information
by hoakley



The Mac is tantalising in the long lists of information which it can
display, for example in System Information. One of the most obvious is
what it terms Boot ROM Version, included in the first hardware overview
which greets you when you open that app. If your Mac has a T2 chip,
you'll see its Firmware Version given when you select the Controller
item. Recorded in Installations is each pushed security update too: at
the moment, the last listed here is Gatekeeper Configuration Data
version 171.

But what do those version numbers mean? Is my "Boot ROM" - actually EFI
Firmware now - up to date? Have I missed any security updates? Is my T2
chip running the recommended current firmware, or has it fallen behind?

The curious fact is that, whilst Apple trusts us to know all those
version numbers, it doesn't trust us to know what they mean. The result
is that many Macs aren't running the current version of EFI firmware for
that model, and when its firmware fails to update successfully during a
system update, the Mac user isn't informed of that failure either.

Apple did try to do something about this when it released High Sierra.
Since then, every week Macs have automatically run the tool eficheck,
which examines the active EFI firmware and reports whether it's among
those which Apple deems current, and whether its signatures differ. But
it doesn't inform the user of whether that Mac is running the current
firmware, and users aren't made aware of the information it sends back
to Apple. Maybe Apple, in its present drive to protect our privacy,
considers that information too private for users to know.

In any case, most Mac models now ship with a T2 chip, something which
breaks eficheck. So neither Apple nor Mac users know whether newer Macs
have up to date EFI firmware at all.

Until last October, with the EFI firmware updates brought in Mojave
10.14.1, the system for numbering EFI firmware versions was cryptic and
messy. Apple therefore replaced it with a numbering system which is
still model-specific, so impossible to decipher without being given a
model-by-model list. And even more curiously, eficheck now gives both
old and new version numbers - so long as your Mac doesn't have a T2
chip, in which case it gives neither.

Apple doesn't provide users any information on:

current EFI firmware version by model;
latest release version of XProtect;
latest release version of Gatekeeper data;
latest release version of MRT;
latest release version of the TCC database.
And quite possibly more. I do my best to cover these in my list of EFI
firmware versions and some free software, but those are unofficial and
far from complete.

None of this would be important if we could rely on macOS installers and
updaters always to bring our Macs fully up to date. But there's ample
evidence, from users who are running Mojave 10.14.5 on systems with EFI
firmware which hasn't even been updated to the new numbering system,
that this simply isn't true. Other users report that they can't get
their Macs to recognise that a security update is available several days
after it has been released.

eficheck was introduced because Apple realised that many Macs were
running EFI firmware which was very old. This was confirmed publicly by
Duo Labs, who published an analysis revealing how many Macs were running
EFI firmware which was badly out of date. As eficheck is only available
in High Sierra and later, Macs which are still running Sierra and
earlier don't get their EFI firmware checked at all. Apple seems to have
abandoned them, although the evidence from Duo Labs' study is that it is
older Macs which are the most likely to have problems and even firmware
vulnerabilities.

It would be so simple for Apple to incorporate checks into System
Information to inform users of whether the version numbers listed there
for EFI firmware and pushed security updates were up to date. If Apple
really wanted to improve the security of our Macs, it's an obvious step
to take. Just as my car warns me volubly if I drive off without my
seatbelt fastened, Apple should be encouraging us to ensure our Mac
security systems are fully operational, not hiding behind its usual silence.
Bob Campbell (07-07-19, 06:55 PM)
On 7/7/19 7:23 AM, DGB wrote:
> Last Week on My Mac: Useless information
> by hoakley


Congratulations. You found someone as paranoid and stupid as you.

> Posted in full as some folk don't click on my links (which ARE always
> safe!)


LOL, good one. The Village Idiot makes a joke.
Ed Norton (07-08-19, 05:31 PM)
On Sun, 7 Jul 2019 07:23:31 -0400, DGB wrote
(in article <UCkUE.15618$Fp7.14149>):

> Last Week on My Mac: Useless information


Why would anyone read self-described useless information?
Panthera Tigris Altaica (07-09-19, 04:18 PM)
On 2019-07-07 12:55, Bob Campbell wrote:
> On 7/7/19 7:23 AM, DGB wrote:
>> Last Week on My Mac: Useless information
>> by hoakley

> Congratulations.  You found someone as paranoid and stupid as you.


He found someone who is _almost_ as paranoid and stupid as he is. It is
_impossible_ to be as paranoid and stupid as he is, he's retired the trophy.

> > Posted in full as some folk don't click on my links (which ARE always
> > safe!)

> LOL, good one.  The Village Idiot makes a joke.


No. He's just lying. He does that all the time.
Similar Threads