Apple Issues Security Fixes for Spectre and Meltdown CPU Flaws
Apple this week took steps to address the potential security threats posed by two recently disclosed CPU attack methods, Meltdown and Spectre.
Both methods can compromise all systems, either Linux- or Windows-based. They are based on a "speculative execution" process used by CPUs that security researchers were able to tap to gain access to operating system kernel information, such as passwords and encryption keys. Processors from Intel, AMD and ARM Holdings are affected, to varying degrees. Apple began its switch to using Intel processors in some of its Mac devices back in 2006 or so.
The computer industry currently is addressing the implied security issues associated with Meltdown and Spectre by releasing operating system updates and firmware updates as a sort of workaround. Apple on Monday joined other operating system makers, such as Microsoft, in issuing patches for its products.
All Apple Mac and iOS products are subject to these Meltdown and Spectre attack methods, according to an announcement Monday by Apple, although "there are no known exploits impacting customers at this time," it added. Malware has to be present on a machine for it to be vulnerable to the attacks.
Apple published a list of its security updates here. With regard to Spectre, the updates add protections for the following products:
- macOS High Sierra 10.13.2 Supplemental Update, providing protections for the Safari browser and its WebKit engine
- Safari 11.0.2, providing browser protections for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
- iOS 11.2.2, providing Safari and WebKit protections for iPhones (version 5 and later), iPad Air (and later) and sixth-generation iPod touch devices
The Meltdown attack method is addressed by updates "iOS 11.2, macOS 10.13.2, and tvOS 11.2," according to Apple's announcement.
Apple Watch devices aren't affected by the Meltdown and Spectre attack methods, according to the announcement.
The researchers that uncovered the Meltdown and Spectre attack methods didn't actually find any malware in the field. Rather, they used analysis techniques to pull information from operating system kernels, labeling these methods "Meltdown" and "Spectre." Since these attack techniques are now published, they're considered to be potentially active threats.
Apple described the Meltdown approach as being able to read OS kernel memory, adding that it "has the most potential to be exploited." Apple's Meltdown mitigations, which apparently were released back in December, aren't expected to slow down Apple systems.
"Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6," Apple indicated regarding its Meltdown protections.
The Spectre approach has two attack techniques that expose OS kernel memory information, but they are "extremely difficult to exploit," according to Apple. The patches for Spectre could slow the Safari browser a bit, per Apple's testing.
"Our current testing indicates that the Safari mitigations have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark," the announcement indicated regarding the Spectre protections.
Chip makers such as Intel have admitted that there could be some performance slowdowns as a consequence of applying these OS mitigations, depending on the hardware used and the workloads that are run. The potential performance hit has been reported as high as a 30 percent slowdown.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.