Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at the time of this writing. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Security updates for macOS Sierra and OS X El Capitan also include mitigations for Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre.
Mitigations to defend against Meltdown have already been shipped by Apple in iOS 11.2, macOS 10.13.2, and tvOS 11.2. WatchOS is unaffected by Meltdown. Development of mitigations for both exploits is ongoing and new defenses will be released to each Apple OS as they become available. A pple took additional steps this week to protect Mac users from Meltdown and Spectre, two recently disclosed and serious security vulnerabilities. On Tuesday, alongside the rollout of macOS High. Apple: Mac OS 10.10 Yosemite: Where do I get the patch to fix the Meltdown exploit?Helpful? Mac OS 10.10 Yosemite: Where do I get the patch to fix the Meltdown exploit?Helpful?
- It's been like this in every version of the Mac OS since OS X was first released. All you needed to do was look. If you want truly forced updates, use Windows 10. You can turn off updates, but the OS will turn them back on without asking after a week (or something).
- Apple today confirmed that it has addressed the recent 'Meltdown' vulnerability in previously released iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates, with additional fixes coming to Safari in the.
We continue to develop and test further mitigations for these issues. Factories of steel mac os.
Background
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
Meltdown
Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or 'rogue data cache load.' The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and also in Security Update 2018-001 for macOS Sierra and Security Update 2018-001 for OS X El Capitan. watchOS did not require mitigation. Chaos combat chess mac os.
Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
Spectre
Fossil fuel mac os. Spectre is a name covering multiple different exploitation techniques, including—at the time of this writing—CVE-2017-5753 or 'bounds check bypass,' and CVE-2017-5715 or 'branch target injection,' and CVE-2018-3639 or 'speculative bounds bypass.' These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
The Meltdown Mac Os X
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. On January 8th Apple released updates for Safari on macOS and iOS to mitigate such timing-based techniques. Testing performed when the Safari mitigations were released indicated that the mitigations had no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques. watchOS is unaffected by Spectre.
Surely by now you've heard about the Spectre and Meltdown CPU flaws, but you might not fully understand what the issue is and how you can protect yourself against the risks. We're here to help. Here's how these vulnerabilities affect your Apple devices and what you can so to keep them safe.
Update 01/25/18:Apple has released iOS 11.2.5 and MacOS 10.13.3 to further protect against Spectre exploits.
Meltdown and Spectre FAQ
One more time, what exactly is the issue here?
There are three separate potential security issues at play here, one named Meltdown and two named Spectre. They all take advantage of something called speculative execution. Basically, modern CPUs try to speed things up by taking educated guesses to predict what the next operation will be, and will go so far as to execute them ahead of time. If the prediction is correct, the CPU has an answer all ready to go. If it's incorrect, the 'speculative execution' is removed. The whole process is nearly instantaneous and should be invisible to the software and OS. The Meltdown and Spectre bugs allow hackers to read and access this information in the OS kernel memory by taking advantage of the delay in its rollback.
What devices do they effect?
In a nutshell, all of them. If you have a PowerMac G5 or an iPhone 3GS, you're probably okay, but all modern Macs and iOS devices are affected. While Meltdown mainly affects Intel-based Macs and PCs, in Apple's case it also affects iOS devices. Spectre affects all iOS, macOS, and tvOS. WatchOS is unaffected by the Meltdown and Spectre flaws.
What's Apple doing to fix it?
Well, there isn't really a real fix. These exploits rely on flaws baked right into the very design of the CPUs themselves. The best Apple or anyone can do is mitigate the risk, and Apple is already taking steps to do so. In December, Apple released macOS 10.13.2, iOS 11.2, and tvOS 11.2 with mitigations to lessen the risk, and iOS 11.2.2 also 'includes security improvements to Safari and WebKit to mitigate the effects of Spectre.' Also, Safari 11.0.2 includes mitigations against Spectre on macOS. Apple says more mitigations are on the way. The recent macOS 10.13.3 update also included Spectre mitigations.
What about older OSes?
Alongside the release of macOS High Sierra 10.13.3, Apple also delivered security updates to macOS 10.12 Sierra and Mac OS X 10.11 El Capitan, as well as the Safari update that was released in early January. However, since updates to older OSes won't be arriving as quickly as up-to-date Macs, if you have a system new enough to run macOS High Sierra and iOS 11, your best bet is to update to High Sierra.
I've heard about slowdowns. Will my device be affected?
It's too early to say, but Apple assured users that there won't be any noticeable performance impact. It says it ran the December update through GeekBench, Speedometer, JetStream, and ARES-6 and saw 'no measurable reduction in the performance of macOS and iOS.' Additionally, it has tested its Safari mitigations with the similar results, including an impact of less than 2.5 percent using the JetStream benchmark.
How can I protect my device from attack?
Update your OS
This is the obvious answer, but it's also the best one. As we said, there is no real fix for Meltdown or Spectre, just ways to make exploits harder to pull off. Apple has already begun taking steps to protect users, but they will only be effective if they're installed.
The Meltdown Mac Os Catalina
So, if you can update your Mac and iOS device to High Sierra and iOS 11, respectively, do so. Apple has squashed many of the early bugs and the latest versions are running smoothly, so if you want the best possible protection from Meltdown and Spectre, the latest version of the latest operating systems are the best way to do it.
Update Safari, Firefox, and Chrome
Apart from macOS, iOS, and tvOS, Apple is also updating Safari to address a possible Javascript exploit of the Spectre flaw. This will be arriving soon, so check the updates tab in the App Store app to install it once it arrives. Firefox 57.0.4 adds protections to that browser, and and Chrome 64 (to be released on January 23, 2018) will do the same for Google's browser. In the meantime, an optional feature called Site Isolation can help reduce risk in Chrome—read more about that here.
Don't download apps from untrusted developers
Hackers can't get into your system unless you let them in, so be mindful of where your apps are coming from, especially in the Mac. Obviously, the Mac App Store is the safest way to download apps, but there are a number of totally legit developers that offer apps outside Apple's store. Most of them are safe to install, but you should do some research before hitting the download button. macOS already users by default when launching apps from unidentified developers, so pay attention to any prompts you get when opening an app for the first time.
Stay vigilant
As Apple says, the risk to users is fairly low, but the scale here is massive. With hundreds of million vulnerable devices, hackers are going to be working overtime to exploit these flaws, so be aware of a anything amiss with your device or accounts, and take the appropriate action if necessary.
