CVE-2019-0090 remains a security flaw... how to check Bios Version on Mac?

You can get the BootROM and SMC firmware versions from the Apple System Profiler. Option-click the Apple menu and select the first option. The information will be on the right pane along with other system specifications.

johnnyjackhammer wrote:

Has anyone heard if this has been exploited on a Mac System?

Has anyone ever heard of any of these CVE issues being exploited?

I can no longer find any mention of this issue on the typical Mac user websites.

Once an issue like this has generated all the clickthroughs that it can, it gets forgotten about so another Major Apple Crisis can take its place and generate more clicks.

johnnyjackhammer wrote:

Not specific to the issue above, I’m mostly concerned with losing all of our savings and not being able to pay the mortgage due to being “hacked”.

You're likely not worth the use of those flaws, to be very blunt.

Exposing exploits to use risks mitigation. And exploits are a sought-after commodity and are usually very expensive, which makes the associated exploit tools very expensive.

Enable security on your financial accounts, place a credit freeze on your reports, keep backups, use a password manager (and which has the added benefit of making it harder to enter your passwords on phishing sites), use robust and unique passwords, keep your computers and printers and routers and the rest patched to current, encrypt your data, learn more about phishing and other scams, enable two-factor authentication on key accounts and on password-reset paths, work through the list of security recommendations provided for each of us by Apple, and other related steps.

Make yourself more expensive or more difficult than the other targets. Phishing is easier than exploiting Spectre or Meltdown.

If you're an investigative journalist, political dissident, a sought-after criminal, senior leadership in moderate or large organizations, or have access to substantial financial information or access to classified or sensitive data, then the security calculations here can or do shift. Phishing turns into spear-phishing here, too.

While it's conceivable some processor architectural flaw could be exploited, it's more likely that a re-used password or phishing nails us. Or somebody at one of the bank's software providers or cellular providers gets bribed. There is no certainty with data security. Ever.

There have been no reports of this vulnerability ever being exploited in the wild, none. Spectre and Meltdown cannot be patched, only moderated. And the exploit is so complicated and difficult it would almost certainly require the resources of a state actor, not your garden variety hacker looking to empty your bank account. You and I are simply not the type of targets these exploits would be used on. We’re simply not worth the effort.

And yes, Apple long ago issued patches to moderate the effectiveness of these exploits.

johnnyjackhammer wrote:

I didn’t think I left any room in the question for opinions or sarcasm.

There's always room for opinions and sarcasm 😄. What you posted contained opinions and sarcasm too. "Another unfixable intel chip flaw could render Apple's FileVault useless". Yeah, right.

This is why I post here and not a market driven medium where “click through” drives content.

But isn't that the point? To get opinions and advice untainted by social media and misinformation?

I get your point. You hear about these things, you do research, and it seems like this is just as big of a potential flaw as another other issue that made headlines. Why isn't this one making headlines too? What gives? There are simply too many other big stories right now. The relative value of an Apple fear-mongering clickthrough just isn't what it was a few months ago.

I apologize for the sarcasm. Maybe I did some research after the first such story I heard. Maybe I also did research after the 2nd or 3rd stories too. Maybe I posted sincere, even-tempered responses after those first few. But after 30? Or 100? I forget when, but after a certain number of oh-my-god-the-sky-is-falling-apple-is-hacked stories, all I had left was sarcasm. And that was years ago.

One wonders, after the US government “shared”its hacking toolkit with the rest of the world, just how much of an impact that event has had and continues to have.

None.

Not specific to the issue above, I’m mostly concerned with losing all of our savings and not being able to pay the mortgage due to being “hacked”.

You are right to be concerned. But you have to use reason. Remember the classic Greek strategies of rhetoric - ethos, pathos, and logos. Security stores are almost 100% pathos. They rely on the most basic of emotions - fear. But to be clear, they aren't trying to protect your money, they are trying to take it. You need industry-leading endpoint security protection against these threats on your Mac. Ignore the logos that tells you that your Mac is never the source of internet hacks like this.

There are hackers out there trying to take your money. But they aren't trying to hack your Mac to do that. They might try to hack you. Just the other day, I got a text message warning me about a potential fraudulent charge. Some banks do send these text messages. I had one bank sometimes reject charges and expect me to text back and confirm before they would let the charge go through. I checked my online account and there were a number of fraudulent charges, including the one mentioned in the text. So I cautiously replied "N" to the text to reject the charge. Immediately I got another text telling me I would be contacted by my bank's (identified by name) fraud department. Sure enough, the phone rang in seconds.

So, these people had my credit card. Had already made numerous fraudulent charges. They knew my phone number too. But apparently, they didn't have the 3 digit security code on the back of the card to rack up big numbers. That was what the "fraud department" wanted me to confirm. Instead, I hung up and called the bank's real fraud department. That's how people can empty your bank account, not with theoretical CVE security exploits.

etresoft wrote:

…So, these people had my credit card. Had already made numerous fraudulent charges. They knew my phone number too. But apparently, they didn't have the 3 digit security code on the back of the card to rack up big numbers. That was what the "fraud department" wanted me to confirm. Instead, I hung up and called the bank's real fraud department. That's how people can empty your bank account, not with theoretical CVE security exploits.

Yep. This is how we get hacked.

Much easier, more scalable, and more profitable.

We get tired, or overly busy, or otherwise distracted.

For this particular spear-phishing scam, the ease of spoofing calling numbers, and the unfortunately-cavalier security practices of some financial providers, this and similar scams are easily all too believable for us; for the recipients.

Or we forget to keep current with patches and updates, or maintaining other parts of the tedium that is security.

Put differently, we ourselves are the most vulnerable component of our security. Not theoretical architectural attacks.

If you really feel Apple is being cavalier about security and not on the user’s side then perhaps it’s time for you to consider other alternatives. Of course, none of the other platforms out there were able to completely patch the issue you mention either, only moderate it. A lot of these exploits also require physical possession of the device by the bad guy. By far the most common hack is between the ears of the user. Trickery and misdirection are the tools of modern day thieves, not these weird vulnerabilities. Why do that when you can much more easily trick a user into giving you their credentials, passwords, bank account number, social security numbers?

And some of choose to not live in constant fear.