MP 1,1-5,1 What are Security Risks from cMP 5,1 running Mohave?

[marstan]

While I await a move from the old cMP 5,1, I wonder what are the current security risks from remaining on Mohave on the old hardware?

I don't use Safari but Firefox instead because it is still updated so that would seem to mitigate some risk from the browser. But what risks am I exposed to from lack of OS level security updates?

 

[jameslmoser]

Did they release an update for Mojave just before they released Monterey? I know they did in August. It sounds like you are talking about just using it as a desktop and are planning on moving on already?? If you are doing so soon I wouldn't be too worried about it.

If you are worried about it, you could always upgrade to Catalina using OpenCore, or a Patcher like DosDudes. If you use OpenCore you can upgrade farther than that. I'm currently running Big Sur on multiple cMP's and it runs better than I think Mojave or Catalina even did.

OpenCore on the Mac Pro

This guide explains how to use the excellent OpenCore boot loader to install, run, and update the latest version of macOS on the MacPro5,1, resulting in a clean, unaltered operating system just like on a supported Mac.

forums.macrumors.com

macOS Catalina Patcher

 

[marstan]

Yeah, looks like last security update to Mohave was July this year.

Probably retiring the cMP within a year. I am aware of OpenCore but didn't know that DosDudes had something. How much of a pain is it to do OpenCore? I mean is there any risk of bricking the machine by tinkering with firmware, that sort of thing?

 

[jameslmoser]

Yeah, looks like last security update to Mohave was July this year.

Probably retiring the cMP within a year. I am aware of OpenCore but didn't know that DosDudes had something. How much of a pain is it to do OpenCore? I mean is there any risk of bricking the machine by tinkering with firmware, that sort of thing?

A lot of the security updates found and patched on operating systems usually fix things like privilege escalation bugs or something similar that require physical access or them already having user access on the machine. Using it as a regular desktop without it being directly connected to the internet (with a public routeable IP address) should be pretty safe.

OpenCore is pretty easy. I recommend you check out "Martin's Package (one-size-fits-all solution)", he has simple short videos you can watch.

Activate AMD hardware acceleration

I created a new "easy to install package" as per many requested (based on the official OpenCore). [The attached package updated to 1.0.0] For those who only need HWAccel, post #594 has everything you need. This new package mainly offer HWAccel + boot screen. Also, this package should work in...

forums.macrumors.com

 

[marstan]

My machine is definitely connected to the internet through a router connected to the fiber line to the house. I will consider OpenCore. I don't know how long I will keep the cMP active; depends on what Apple comes up with next year.

 

[MarkC426]

Just because Mojave is no longer supported, isn't the end of the road.
Safe surfing/no email clicking plays a large part.

 

[tsialex]

It's extremely easy to use OCLP to install Big Sur.

GitHub - dortania/OpenCore-Legacy-Patcher: Experience macOS just like before

Experience macOS just like before. Contribute to dortania/OpenCore-Legacy-Patcher development by creating an account on GitHub.

github.com

Apple will send the 11.6.2 release to all users probably next week, already sent to developers, it will be the perfect time to install it.

Monterey is too messy to install right now.

 

[marstan]

Thanks Alex. Reading the Guide now.

 

[tsialex]

Thanks Alex. Reading the Guide now.

You will have to learn a lot of new things, but it's simple after you get the gist of it and you will be running Big Sur natively on your Mac Pro and with some careful hardware updates, like AirPort Extreme BCM94360CD if you need Wi-Fi and BT4.0, no patches/hacks whatsoever. The most expensive upgrade is the METAL supported GPU, but since you wrote that you run Mojave I suppose you already have done it.

Most people here are waiting the next Mac Pro release, so, running Big Sur for more two years with Security Updates is a must until a M1 successor for the Mac Pro is finally available.

 

[marstan]

Yes, I am running Mohave with a metal GPU (Radeon RX560) with all updates required for that 4.1>5.1 upgrade. I don't need wi-fi but I need BT so I need to install a new BT hardware module? Where would I get that?

 

[tsialex]

Yes, I am running Mohave with a metal GPU (Radeon RX560) with all updates required for that 4.1>5.1 upgrade.

Perfect.

I don't need wi-fi but I need BT so I need to install a new BT hardware module? Where would I get that?

OCLP still supports the original BT v2.0 module, but it's really really bad to use it nowadays.

This is the thread about AirPort Extreme updates - BCM94360CD have AC Wi-Fi and BT v4.0 with the same card - it's combined now and you will remove the original BT v2.0 module.

802.11ac, BT 4.0, Continuity, and Handoff Working on Mac Pro 2010

-------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------- News&Updates: (I will...

forums.macrumors.com

You can also buy the Fenvi T919 PCIe card and connect the USB header (Mac Pro BT is USB) to the Fenvi card connector.

Fenvi Wi-Fi Card and Bluetooth / USB Header

I'm installing a Fenvi PCIe Wi-Fi ac card on my Mac Pro 5,1 (flashed 4,1). It's based on the Broadcom BCM94360CD so is natively supported in MacOS X. However, if I want Bluetooth 5.0 (which I do for Airdrop and HandOff) i need to attach a cable from the card to a USB header socket (see diagram...

forums.macrumors.com

There are more than one way to do it, choose what is best for you. If you have one PCIe slot available, Fenvi T919 is the easiest, and probably the cheapest, way. AliExpress have promos frequently for T919, next one is December 12.

 

[m4v3r1ck]

Perfect.


OCLP still supports the original BT v2.0 module, but it's really really bad to use it nowadays.

This is the thread about AirPort Extreme updates - BCM94360CD have AC Wi-Fi and BT v4.0 with the same card - it's combined now and you will remove the original BT v2.0 module.

802.11ac, BT 4.0, Continuity, and Handoff Working on Mac Pro 2010

-------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------- News&Updates: (I will...

forums.macrumors.com

You can also buy the Fenvi T919 PCIe card and connect the USB header (Mac Pro BT is USB) to the Fenvi card connector.

Fenvi Wi-Fi Card and Bluetooth / USB Header

I'm installing a Fenvi PCIe Wi-Fi ac card on my Mac Pro 5,1 (flashed 4,1). It's based on the Broadcom BCM94360CD so is natively supported in MacOS X. However, if I want Bluetooth 5.0 (which I do for Airdrop and HandOff) i need to attach a cable from the card to a USB header socket (see diagram...

forums.macrumors.com

There are more than one way to do it, choose what is best for you. If you have one PCIe slot available, Fenvi T919 is the easiest, and probably the cheapest, way. AliExpress have promos frequently for T919, next one is December 12.

Thank you for spreading so much good news for the cMP! Much appreciated. Reading the thread is work in progress

 

[marstan]

PCIe BT sounds doable for me. Now that I have a USB 3.1 card, I could remove the eSata card to make room. I will check that out.

Thanks, Alex.

 

[Demigod Mac]

Nothing to worry about if you are smart about where you go on the internet, keep your web browser up-to-date and use a router with a firewall protecting the Mac. I don't quite agree that you should need to worry about messing with your Mac too much with OpenCore and whatnot - that's kind of like intensely worrying about the resilience of a safe in your closet while the front door to your house has a broken lock.

Operating system patching is the inner ring of a multi-layered defense strategy. If a cyberattack successfully penetrates down to the OS level, then you have some fundamental issues with your overall security strategy and practices, most notably on the outer layers. If patching the OS is an option then you should certainly do it, of course - you don't want to give attackers even an inch of potential surface, but if the insecure device has properly hardened layers of security surrounding it then your risk is actually extremely low.

In cybersecurity, if there is a mission-critical system that is insecure, unfixable and yet irreplaceable, you implement strategies called compensating controls to cover those vulnerabilities by alternative means. In this case you might consider treating the CMP like an insecure IoT device and add a smart firewall device such as an Eero, Trend Micro's Home Network Security or BitDefender Box 2 between your modem and router. These will block malicious domains and code before they even enter your home network, much less reach your Mac to execute their payload.

Longview: to successfully attack a CMP that has layered protection as described above, a cyberattack would need to penetrate all of the following:

* Layer 0 > Your internet street smarts (not getting phished, not visiting sketchy websites, etc.)
* Edge layer > Smart Firewall device with an active security subscription (very difficult to compromise)
* Middle layer > Up-to-date Web Browser (would probably need to be a zero-day exploit to get past this)
* Inner layer > Xprotect definitions vs malicious execuable code (Apple still updates these even for unsupported macOS versions)
* Core layer > unpatched Operating System vulnerabilities

In summary, if a cyberattack successfully penetrated all those layers and compromised your CMP, then congratulations - you were probably targeted by a state-sponsored attacker who was paid a lot of money to do so.

 

[marstan]

Thanks for the refresher on layered security. Forutnately, I am doing the first and middle layer.

I don't quite agree that you should need to worry about messing with your Mac too much with OpenCore and whatnot - that's kind of like intensely worrying about the resilience of a safe in your closet while the front door to your house has a broken lock.

My concern with OpenCore was not security but whether it could render my machine inoperable if I screwed it up.

 

[tsialex]

Thanks for the refresher on layered security. Forutnately, I am doing the first and middle layer.


My concern with OpenCore was not security but whether it could render my machine inoperable if I screwed it up.

With a 11 (early-2009) / 10 (mid-2010) / 9 (mid-2012) years old BootROM SPI flash memory, the newest MacPro5,1 ever made was manufactured back in October 2013, even doing a clean install of Mojave and having dozens of NVRAM variables being set/modified by the installer (or also doing a macOS Software Update) can brick a Mac Pro now.

Mac Pros that still have the original SPI flash memory are on borrowed time, the life expectancy is just 100.000 cycles of write erase for non contiguous erase/re-writes while Mac Pro NVRAM usage is the perfect example of a contiguous usage (NVRAM is inside the BootROM SPI flash memory). I've written a lot about it, you can use the search a read more if you are interested on the topic.

At least is easy enough to dump it/desolder the SPI flash memory/program a replacement/solder back. People that can't solder can buy a SPI flash replacement, like MATT cards, and flash the BootROM dump to it.

 

[marstan]

tsialex, you have confirmed my paranoia. I have an early '09 so pretty old (although I did replace the logic board about 2 years ago).

 

[tsialex]

tsialex, you have confirmed my paranoia. I have an early '09 so pretty old (although I did replace the logic board about 2 years ago).

It's not paranoia It's like depending on the original HDD from 2009.

For a Mac that it was lightly used, it will be probably below the number of erase-re-write cycles, but for one that have been in continuous usage, it's on borrowed time.

SPI flashes are expendable items with a life expectancy and need replacement over time.

 

[marstan]

I hear you. Let's just call it probability of failure and difficulty of repair. For you replacing a SPI flash module is probably as easy as an HDD replacement; for me, not so much. I can solder connectors on cables but haven't done any electronic components on pcb soldering.

Again, your information and advice is very helpful.

 

[tsialex]

I hear you. Let's just call it probability of failure and difficulty of repair. For you replacing a SPI flash module is probably as easy as an HDD replacement; for me, not so much. I can solder connectors on cables but haven't done any electronic components on pcb soldering.

Again, your information and advice is very helpful.

MATT cards are the solution for people like you.

 

[Demigod Mac]

It does sound like in your use case, it's probably not worth the risk of trying to install an unsupported OS / OpenCore. If your Mac is currently in a stable / working condition and it suits your needs then it's probably best to keep it as-is and protect it with compensating measures. That's the situation where I am too... Hoping that when/if my CMP bites the dust (as tsialex mentioned), there will be viable replacement Mx Macs available from Cupertino, notably headless desktop Macs that support more than 32 GB of RAM. Expecting those should be on the market within a year.

This is my regimen for protecting my CMP - this combo will make it extremely hard to crack even though the machine's OS is technically vulnerable:

* Eero 6 seated between my cable modem and router, with the basic Eero Secure subscription. Eero handles wifi. Router is acting as a switch (in bridge mode) and handles my wired devices.
* Firefox, auto-updates on.
* UBlock Origin browser extension active and subscribed to Malware + Badware domain filter lists.
* macOS automatic security updates enabled; periodically I check the XProtect definitions with the SilentKnight tool to verify that it's keeping up-to-date (it is).

 

[marstan]

Demi: Sounds about right. I am due for router upgrades (have old Apple Airport Extremes and the main router supplied by Frontier).