Last month, reports came out that Apple accidentally installed a fake firmware patch on internal development servers. That’s a lesson to all companies to be careful about where they get their patches.
What may have happened is that an Apple employee installed a patch shared by the hardware vendor’s employee, instead of using the official release of the patch, said Chris Nietzold, senior platform engineer at security appliance manufacturer MBX Systems.
“They may have procured the firmware from an unofficial source and didn’t follow the official release schedule,” he said.
The firmware included a potential security vulnerability and Apple reportedly ended its relationship with the supplier, Super Micro Computer, as a result.
Companies should be careful to ensure that the patches and updates they install are the official releases, instead of, say, hearing about a problem, Googling about it, and downloading a patch from a random source off the internet.
Sometimes, a vendor employee offers an early release of an update.
“It is likely that one of Apple’s engineers was talking to a Super Micro engineer, and it was probably very well intentioned,” he said. “We’ve seen this exact scenario play out lots of times — and we take a step back and say, we’ll just wait for the official firmware, but thank you for the heads up.”
For updates that will be deployed at scale, such as to an entire data center or multiple data centers, companies should be even more careful before they deploy, said Nietzold.
“What we do — and perhaps what Apple didn’t do — is that whenever we get any kind of firmware we’ll first apply it on an isolated system, test it, make sure all the functionality is there, and check the integrity of the file to make sure it wasn’t modified from its original state,” he said.
Firmware that has accidental security issues, or has been deliberately compromised by attackers, may cause a great deal of damage, especially if it is widely deployed.
“It could act as a conduit, a back door through which they could start deploying more of what they want to the data center,” he said. “And that could be disastrous. It’s critical to understand where all your components are coming from.”
Super Micro would not comment on the specific situation with Apple, but denied that there were security issues with its firmware.
“We can confirm that if any question regarding a security concern arises, the company thoroughly investigates the concern,” the company said in a statement.
“We can also confirm that during the period in question to the extent that any security concern was raised, after investigation it was determined that there was no valid security concern with respect to the Supermicro product. Supermicro believes that security is of the utmost importance and the company takes any and all security concerns extremely seriously.”