Apple,Security March 5, 2015 at 10:38 am

Thunderstrike Need-To-Know

When we heard about the ‘bootkit’ exploit branded Thunderstrike having the potential to remove all of your security controls it was pretty disturbing. Luckily Apple controls a relatively small number of models, and released a patch for several affected CPU versions, bundling it with 10.10.2 so as to lessen the number of reboots required. Unfortunately Apple doesn’t seem to have updated this page of boot ROM versions accurately. (You can query the current boot ROM value of your fleet with this munki conditional by Graham Gilbert.)

Still, in the description about what the security content of the patch (as separately provided to 10.8 and 10.9 as security update 2015-001) contains, they get you started with which models this patch addresses. (There’s a bunch, but in particular this is under “CPU Software”.) The problem for some of us comes in when you make your 10.10.2 image and inadvertently have a lingering issue for the new machines you’re preparing. If you receive machines that were still in inventory when this exploit hadn’t yet been patched in manufacturing, and go ahead and image them instead of running this patch you’d be preventing the patch from being applied to your most newly prepared machines. As there are separate patches for each boot ROM, they need to run on the applicable model, which a hardware independent thing like an AutoDMG image can’t provide for you. Thanks to Erik Gomez for bringing this to our attention with a radar.

Enough prologue, let’s get on to the fixing:
If you unflatten the 10.10.2 combo update, via

pkgutil --expand /Volumes/OS\ X\ 10.10.2\ Update/OSXUpd10.10.2.pkg /tmp/10.10.2unflattened.pkg

and Show Package Contents by right-clicking on it, you’ll see it also contains a FirmwareUpdate.pkg. Inside of that, in what may be described as a lazy way of making one package deliver different payloads conditionally, there’s a ‘Tools’ folder in the Scripts subdirectory. Twelve different models are covered with these patches, split into board ID-tagged SMC updates and boot ROM versions. If your organization predominately has only certain models, you may decide to lighten the 110MB+ pkg by cat’ing from /dev/null into the non-applicable boot ROM versions(I’d leave the SMC folder alone, though, since it’s only a few MBs). Whether or not you’re interpid enough to modify a payload that could potentially brick a machine, you do need to re-flatten the pkg (check the man page for pkgutil if you’re unsure or leave us a comment) so the installer won’t reject it when trying to apply it.


For those of you using JAMF for at least inventory, you can collect the machines you need to apply this patch for into groups with smart group logic like the following:
Operating System 10.10.2
Boot ROM is not MBA61.0099.B18
and Boot ROM is like MBA61

Or if you have Absolute Manage, I believe the criteria would be as follows (thanks to David Knuth):
OS Version contains 10.10.2
Boot ROM Information does not contain MBA61.0099.B18
Boot ROM Information begins with MBA61

And pardon the redundancy, but just to save you some research, the patches address the following models:
iMac models 14,1 14,2 and 14,3(which should end in B09) 14,4(B08) and 15,1(B01)
MacBook Pro models 10,1 and 10,2(B07), 11,1 and 11,2(B14)
MacBook Air 6,1(B18, as above)
Mac Mini 7,1(B01)
and Mac Pro 6,1(B11)

About Allister Banks

Allister has had the honor of writing a book with Charles Edge (, an article or two for MacTech Magazine, and speaking at conferences like MacAdmins Conference at Penn State. He lives in NYC, contributes to various open source projects, and speaks enough Japanese to order food.


1 Comment

  • The 10.10.4 update does also Firmware updates.
    Interesting that the list of updated machines is larger, and for some a newer versions.

    here is the list I find the EFIPayloads folder inside the 10.10.4 combo updater:

    user$ ls -l EFIPayloads

Leave a reply

You must be logged in to post a comment.