This article originally appeared in TidBITS on 2018-01-05 at 8:15 p.m.
The permanent URL for this article is: http://tidbits.com/article/17712
Include images: Off

Apple Releases Meltdown and Spectre Info and Updates

by Adam C. Engst

The tech world has been abuzz with discussion of Meltdown and Spectre [1], massive “speculative execution” security vulnerabilities recently discovered in the CPUs used by nearly all modern computing devices, including the Intel CPUs used in Macs and the ARM-based CPUs in iOS devices. Ars Technica [2] has a good explanation of the problem and overview of the response from different companies.

Late last week, Apple posted a support note [3] explaining the situation from the company’s perspective. In short, Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and claims that its changes resulted in no measurable reduction in performance. (Initial speculation suggested that blocking these vulnerabilities could cause a 5 to 30 percent performance hit.)

In that statement, Apple said that an upcoming release of Safari would mitigate the Spectre exploits with only a minimal performance impact. The company wasted no time, pushing out iOS 11.2.2 [4], macOS High Sierra 10.13.2 Supplemental Update [5], and Safari 11.0.2 [6] (for OS X 10.11.6 El Capitan and 10.12.6 Sierra). All three updates “include security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).”

We strongly recommend installing these updates immediately, since the Spectre exploits can be implemented in JavaScript — in other words, any Web page could theoretically become a conduit to your computer or device being compromised.

On the Mac, it’s equally as important to make sure you’re running the latest version of Google Chrome (which updates itself; just quit and relaunch) and Firefox, along with any other Web browsers you use. Both Google [7] and Mozilla [8] have released interim updates and have more significant releases scheduled for the fourth week in January.

Apple says that the Apple Watch is unaffected by both Meltdown and Spectre.

All these updates are good, but note the word “mitigate” in Apple’s security notes, rather than the company’s usual “addressed” terminology. Spectre, in particular, is a subtle vulnerability, and we’ll likely be seeing additional protections worked into software over time.

In other words, staying up to date with the latest security updates from Apple is becoming ever more essential.

[1]: https://meltdownattack.com/
[2]: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
[3]: https://support.apple.com/en-us/HT208394
[4]: https://support.apple.com/en-us/HT208401
[5]: https://support.apple.com/en-us/HT208397
[6]: https://support.apple.com/en-us/HT208403
[7]: https://www.chromium.org/Home/chromium-security/ssca
[8]: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/