Meltdown-Spectre


'Meltdown-Spectre' Articles

Apple Addresses Meltdown and Spectre in macOS Sierra and OS X El Capitan With New Security Update

Along with macOS High Sierra 10.13.3, Apple this morning released two new security updates that are designed to address the Meltdown and Spectre vulnerabilities on machines that continue to run macOS Sierra and OS X El Capitan. As outlined in Apple's security support document, Security Update 2018-001 available for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 offers several mitigations for both Meltdown and Spectre, along with fixes for other security issues, and the updates should be installed immediately. Apple addressed the Meltdown and Spectre vulnerabilities in macOS High Sierra with the release of macOS High Sierra 10.13.2, but older machines were left unprotected. Apple initially said a prior security update included fixes for the two older operating systems, but that information was later retracted. Spectre and Meltdown are two hardware-based vulnerabilities that impact nearly all modern processors. Apple in early January confirmed that all of its Mac and iOS devices were impacted, but Meltdown mitigations were introduced ahead of when the vulnerabilities came to light in iOS 11.2 and macOS 10.13.2, and Spectre was addressed through Safari updates in iOS 11.2.2 and a macOS 10.13.2 Supplemental Update. Spectre and Meltdown take advantage of the speculative execution mechanism of a CPU. As these use hardware-based flaws, operating system manufacturers are required to implement software workarounds. These software workarounds can impact processor performance, but according to Apple, the Meltdown fix has no measurable performance reduction across

Apple Releases macOS High Sierra 10.13.3 With Fix for Messages Bug

Apple today released macOS High Sierra 10.13.3, the third major update to the macOS High Sierra operating system available for Apple's Macs. macOS High Sierra 10.13.3 comes over a month after the release of macOS High Sierra 10.13.2 and a little over a week after a macOS High Sierra 10.13.2 supplemental update which brought a fix for the Spectre vulnerability. macOS High Sierra 10.13.2 can be downloaded directly from the Mac App Store or through the Software Update function in the Mac App Store on all compatible Macs that are already running macOS High Sierra. No major outward-facing changes were discovered in macOS High Sierra 10.13.3 during the beta testing period, but according to Apple's release notes, it brings security and feature improvements. The update offers additional fixes for the Spectre and Meltdown vulnerabilities that were discovered and publicized in early January and initially fixed in macOS High Sierra 10.13.2. We also know that the update fixes a bug that allowed the App Store menu in System Preferences to be unlocked with any password. Aside from those changes, Apple's release notes say that the update "addresses an issue that could cause Messages conversations to be temporarily listed out of order." For more information on the macOS High Sierra operating system, make sure to check out our dedicated macOS High Sierra roundup.

Apple Seeds Fifth Beta of macOS High Sierra 10.13.3 to Developers [Update: Public Beta Available]

Apple today seeded the fifth beta of an upcoming macOS High Sierra 10.13.3 update to developers, one week after seeding the fourth beta and more than a month after releasing macOS High Sierra 10.13.2, the second major update to the macOS High Sierra operating system. The new macOS High Sierra 10.13.3 beta can be downloaded from the Apple Developer Center or through the Software Update mechanism in the Mac App Store with the proper profile installed. It's not yet clear what improvements the macOS High Sierra 10.13.3 update will bring, but it's likely to include bug fixes and performance improvements for issues that weren't addressed in macOS High Sierra 10.13.2. It offers additional fixes for the Spectre and Meltdown vulnerabilities that were discovered and publicized in early January and fixed initially in macOS High Sierra 10.13.2. The update also fixes a bug that allows the App Store menu in the System Preferences to be unlocked with any password. The previous macOS High Sierra 10.13.2 update focused solely on security fixes and performance improvements, with no new features introduced, and a supplemental update introduced a fix for the Spectre vulnerability. Update: A new public beta of macOS High Sierra 10.13.3 is available for public beta

Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities

Intel CEO Brian Krzanich today wrote an open letter to Intel customers following the "Meltdown" and "Spectre" hardware-based vulnerabilities that impact its processors. In the letter, Krzanich says that by January 15, updates will have been issued for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder coming at the end of January. For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X. According to Krzanich, going forward, Intel promises to offer timely and transparent communications, with details on patch progress and performance data. Because Spectre and Meltdown are hardware-based vulnerabilities, they must be addressed through software workarounds. In some cases, these software patches cause machines to perform more slowly. Apple users do not need to worry about performance impacts. According to Apple, Meltdown had no measurable reduction in performance on devices running macOS and iOS across several benchmarks. Spectre, fixed through a Safari mitigation, had no measurable impact on most tests, but did impact performance by less than 2.5% on the JetStream benchmark. Apple says it plans to continue to refine its mitigations going further. In addition to remaining transparent

Apple Releases macOS High Sierra 10.13.2 Supplemental Update With Spectre Fix

Apple today released a macOS High Sierra 10.13.2 supplemental update, which comes a little more than a month after the initial release of macOS High Sierra 10.13.2. macOS High Sierra 10.13.2 is a free update for all customers who have a compatible machine. The update can be downloaded using the Software Update function in the Mac App Store. macOS High Sierra 10.13.2 addresses the "Spectre" vulnerability that was publicized last week. Spectre, along with its sister vulnerability "Meltdown" are serious hardware-based exploits that take advantage of the speculative execution mechanism of a CPU, allowing hackers to gain access to sensitive information. While Meltdown was addressed in the initial macOS High Sierra 10.13.2 update, Apple said it would introduce a mitigation for Spectre in macOS and iOS early this week. There is no hardware fix for Spectre, so Apple is addressing the vulnerability using Safari-based software workarounds. There's also a Safari 11.0.2 update available for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 that is designed to mitigate the effects of the Spectre vulnerability. Customers running macOS Sierra and OS X El Capitan should download the new version of Safari to make sure their machines are protected.

Apple Releases iOS 11.2.2 With Security Fixes to Address Spectre Vulnerability

Apple today released iOS 11.2.2, the ninth official update to the iOS 11 operating system. iOS 11.2.2 comes almost one month after the release of iOS 11.2.1, another minor update, and a month after iOS 11.2, which brought brought Apple Pay Cash, faster 7.5W wireless charging, and a long list of bug fixes. The iOS 11.2.2 update can be downloaded for free on all eligible devices over-the-air in the Settings app. To access the update, go to Settings --> General --> Software Update. The iOS 11.2.2 includes further fixes for the "Meltdown" and "Spectre" vulnerabilities that came to light last week. Meltdown and Spectre are serious hardware-based vulnerabilities that take advantage of the speculative execution mechanism of a CPU, allowing hackers to gain access to sensitive information. While Meltdown was addressed in the iOS 11.2 update, Apple said it would introduce a mitigation for Spectre early this week. There is no hardware fix for Spectre, so Apple is addressing the vulnerability using Safari-based software workarounds. From Apple's security support document:Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).For more on iOS 11 and its updates, make sure to check out our iOS 11 roundup.

Apple Confirms 'Meltdown' and 'Spectre' Vulnerabilities Impact All Macs and iOS Devices, Some Fixes Already Released [Updated]

Apple today confirmed that it has addressed the recent "Meltdown" vulnerability in previously released iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates, with additional fixes coming to Safari in the near future to defend against the "Spectre" vulnerability. Apple has also confirmed that the two vulnerabilities affect all Mac and iOS devices. The company's full statement, available through a new support document covering Meltdown and Spectre, is below:Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS. Apple's statement does not make it clear if these vulnerabilities have been addressed in older versions of iOS and Mac, but for Macs, there were security updates for older versions of macOS released alongside macOS 10.13.2, so it's

Intel Says New Software Updates Make Computers 'Immune' to Meltdown and Spectre Vulnerabilities

Intel today announced that the firmware updates and software patches that are being released for its CPUs render Intel-based computer systems "immune" to both the Spectre and Meltdown exploits that were widely publicized this week.Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.Intel says updates have been issued for the majority of Intel processor products introduced within the past five years, and by the end of next week, more than 90 percent of processor products from the last five years will be patched. For Mac users, Apple has already addressed some of the vulnerabilities in the macOS High Sierra 10.13.2 update, and further updates will come in macOS High Sierra 10.13.3. To make sure you're protected as a Mac user, install all of the latest operating system updates and firmware patches. As always, it's also worth avoiding suspicious programs, websites, and links. Intel today also reiterated that the updates that are being released for Mac, PC, and Linux machines should not significantly impact day to day usage and should, for the most part, be unnoticeable. That seems to be true of the macOS High Sierra 10.13.2 update, as there have been no reports of slowdowns from Mac users.Intel continues to believe that the performance

Intel Claims Security Flaw Also Impacts Non-Intel Chips, Exploits Can't Corrupt, Modify or Delete Data [Updated]

Intel this afternoon addressed reports of a serious design flaw and security vulnerability in its CPUs, shedding additional light on the issue that was uncovered yesterday and has since received extensive media coverage. In a statement on its website, Intel says that it planned to disclose the vulnerability next week when additional software patches were available, but was forced to make a statement today due to "inaccurate media reports." According to Intel, the issue is not limited to Intel chips and the exploits in question do not have the potential to corrupt, modify, or delete data. Despite Intel's statement, Intel chips are more heavily impacted, and it's worth noting that Intel makes no mention of reading kernel level data.Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data. Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.Intel says it is working with several other technology companies including AMD, ARM, and operating system vendors to "develop an industry-wide approach" to resolve the problem "promptly and constructively."

Intel Memory Access Design Flaw Already Addressed by Apple in macOS 10.13.2

A serious design flaw and security vulnerability discovered in Intel CPUs has reportedly already been partially addressed by Apple in the recent macOS 10.13.2 update, which was released to the public on December 6. According to developer Alex Ionescu, Apple introduced a fix in macOS 10.13.2, with additional tweaks set to be introduced in macOS 10.13.3, currently in beta testing. AppleInsider also says that it has heard from "multiple sources within Apple" that updates made in macOS 10.13.2 have mitigated "most" security concerns associated with the KPTI vulnerability. The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63— Alex Ionescu (@aionescu) January 3, 2018 Publicized yesterday, the design flaw in Intel chips allows normal user programs to see some of the contents of the protected kernel memory, potentially giving hackers and malicious programs access to sensitive information like passwords, login keys, and more. Full details on the vulnerability continue to be unavailable and under embargo, so it's not yet clear just how serious it is, but fixing it involves isolating the kernel's memory from user processes using Kernel Page Table Isolation at the OS level. Implementing Kernel Page Table Isolation could cause a performance hit on some machines. According to The Register, which first shared details on the vulnerability, Windows

Intel Chips Have Memory Access Design Flaw and Fix Could Lead to Performance Drop

A serious design flaw and security vulnerability has been discovered in Intel's CPUs that will require an update at the operating system level to fix, reports The Register. All modern computers with Intel chips from the last 10 years appear to be affected, including those running Windows, Linux, and macOS. Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated - the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or go buy a new processor without the design blunder.Full details on the vulnerability aren't yet known as the information is currently under embargo until later in the month. The Register has unearthed some data, however, and it seems the bug allows normal user programs to see some of the contents of the protected kernel memory. This means malicious programs can potentially, in a worst case scenario, read the contents of the kernel memory, which can include information like passwords, login keys, and more. It's not yet clear how severe the bug is, but The Register speculates that it's significant given the rapid changes being made to Windows and Linux.At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious