EFI Patch does not get installed through SUI/NetRestore

Number:rdar://20025715 Date Originated:03-03-2015
Status:Open Resolved:
Product:OS X Product Version:10.8,10.9,10.10
Classification:Security Reproducible:Yes
When creating a NetRestore volume, the machine in question will not have the latest EFI patch that corrects the Thunderstrike vulnerability. The machine will only receive the patch from the following delta/combo update.

This is due to the fact that Firmware Updates are now longer issued through SUS environments outside of delta/combo updates.

Steps to Reproduce:
Steps to Reproduce:
1. Download OS X Yosemite (latest at this time is 10.10.2) from the Mac App Store.
2. Open System Image Utility.
3. Select the Install OS X Yosemite (10.10.2, 14C109) source.
4. Select NetRestore image, click Continue.
5. Leave the default settings, create a dummy admin user to allow the process to continue.
6. Choose a target destination for the final output image and start the build.
7. Deploy to a client machine that has not had 10.10.2 installed previously.

1. Use this same process with OS X Yosemite 10.10.0 and the EFI patch will not apply.

Expected Results:
EFI patch should be applied post since this is somewhat expected behavior with bit-based imaging.

Actual Results:
EFI will not be patched until next combo/delta update. If a new NetRestore image is created, the following machines will be impacted.


Combo/Delta updates also contain FirmwareUpdate.pkg

The package does not have any sanity checks and only installs a receipt. There is no packageinfo.

This will not occur when using NetInstall or through the Mac App Store application.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!