Latest or all posts or last 15, 30, 90 or 180 days.
Welcome to diglloyd.com
In-depth review coverage is by subscription.
Also by Lloyd: MacPerformanceGuide.com and WindInMyFace.com
First-time visitor
Up to 1527MB/s sustained performance

Sony Firmware Updates Are Both Broken with mac OS High Sierra + Carry a Serious Security 'RootKit' Security Risk on all macOS Versions

See my Sony wish list and get Sony A7R III at B&H Photo.

Update 18 January: Sony has made the solution FAR WORSE by explicitly requiring installation of a kernel extension. If you’ve heard the term “best practices” applied to any process such as security, Sony is doing the opposite: “worst practices”. It’s outrageous. But maybe Sony cannot do it right; perhaps there is some (grievous lack of foresight) hardware design error that prevents an in-camera firmware update.

Update 20 Jan 2018: I worked around the issues by installing a fresh macOS El Capitan system onto an old 128GB Apple SSD in an OWC Mercury Elite Pro Mini enclosure, connected to a 2012 MacBook Pro.

After installing the fresh system, I booted off it, unmounted the internal SSD, installed the Sony updater (which does not require the kernel hack on macOS El Capitan that High Sierra does), updated the Sony A7R III firmware, rebooted off the internal drive, wiped out the external SSD and reinstalled a fresh El Capitan on it for next time. That external drive goes now sits in a drawer for doing the same thing for the next firmware update.

That process is not perfect: really nasty malware could infect even an unmounted volume, but it’s reasonably solid protection, and I did it on a spare machine. To get it really right, disconnect the internal drive, and then hope malware could not tweak hardware stuff in the laptop itself.

Original post...

Back in October I wrote about Sony’s risky approach to firmware updates which entail not only compatibility problems but a serious potential risk of compromising the entire computer by what is known as a “root kit”—Sony’ updater requires a kernel level updater = Very Very Bad.

'aces' writes:

I have been waiting and waiting for either Apple or Sony to fix this now we are in 2018 and I still can’t update any of my Sony cameras. Have you heard anything new? Thanks.

DIGLLOYD: I don’t expect Sony to change their risky security-incompetent design judgment on firmware updates. And macOS High Sierra is especially locked down on the new iMac Pro with its secure enclave and refusal to boot off many devices, making such issues far more of a problem.

At least Sony *does* properly secure its Sony camera firmware updates page with https, albeit with a certificate that is not the highest grade. That is necessary but not sufficient.

Sony A7R III firmware update download page

What is the security issue?

When an application is given administrative 'root' access, it can do just about anything. That means it can install things like a keyboard sniffer, transmitting everything you type to some hacker in Belarus, so to speak. Thus all your accounts, all your money, your identity, etc is placed at risk.

Thus it’s no minor concern letting a program have unfettered root-level access to a computer these days. This is why Apple (kudos) increasingly has locked down macOS, particularly kernel extensions, which cannot run without explicit user approval in the Preferences => Security. This is why Sony’s updater “might” not work—because Apple is taking steps to lock out risky software.

That Sony takes this update approach is gross incompetence in software design (from a security perspective) that puts users at risk of total system compromise. That Sony cannot keep its own prized IT environment secure should persuade any rational person in this day and age that this security concern is worth taking seriously. If I were a hacker, the firmware updates of all cameras and devices would be prized targets because they would enable compromising tens to hundreds of millions of computers just by compromising an 'innocent' updater. A juicy soft target to say the least.

Nikon and Canon do firmware updates right, but Nikon’s firmware download site is wide open to various compromises because it fails to use a secure links (http only).

Imperfect work arounds to Sony’s updater (and Olympus and Fujifilm)

Ideally, update firmware as stated here, but on macOS 10.12 or earlier.

  1. Clone the startup drive to any spare drive that the machine will boot from.
  2. Set the startup disk to the clone drive; shut down the machine.
  3. If possible, remove any other drives (can’t be done easily with most Macs, e.g., the internal SSD in a sealed iMac or laptop).
  4. Boot up off the clone.
  5. Install the Sony updater; update the camera.
  6. Remove the temporary boot clone.
  7. Boot off the original boot drive, and set the startup disk to it once rebooted.

Another approach even more tedious is to clone the startup drive to two backups, wipe the startup drive, reinstall macOS, install the Sony updater, update the camera, then wipe out and reinstall macOS, then boot off the clone and clone back onto the startup drive.

Of course, both of these approaches are a huge hassle, and neither guarantee safety.

My October 2017 post below

Over at MacPerformanceGuide.com, I’ve advised users, particularly profeessional users, not to upgrade to macOS High Sierra for at least 6 months.

Apple quality control has gone seriously downhill over the past 5 years. The most recent evidence for that is exposing cleartext passwords + a new zero day exploit and having to rush out a fix. It speaks volumes.

Below is a camera-related issue issue I received in email today: you might not be able to update firmware for Sony cameras when running macOS HighSierra. Sony ought to be more clear, is it “may not” [sic] or “will not”, or something else. Given Sony’s rootkit installer approach, it’s probably a security issue stopping it. Cameras should update firmware in camera, like Nikon and Canon do. Approaches that in essence require operating system kernel access are incredibly badly designed given the security risks.

See also:

Sony advisory that camera firmware cannot be updated on macOS High Sierra
Durable and fast, up to 1800MB/s

diglloyd Inc. | FTC Disclosure | PRIVACY POLICY | Trademarks | Terms of Use
Contact | About Lloyd Chambers | Consulting | Photo Tours
RSS Feeds | Twitter
Copyright © 2008-2017 diglloyd Inc, all rights reserved.