Security professionals had an “oh crap” moment last week when two gaping vulnerabilities were discovered in the bulk of modern microprocessors. The first issue, dubbed Meltdown, was more or less taken care of in a previous Apple update. But now, Apple has released a fix for the second issue, Spectre.
Photo: AP
According to Google’s Project Zero researchers, Meltdown and Spectre are a series of potential attack methods that could hypothetically allow a bad actor to gain access to a system as isolated as a personal laptop or as enormous as Amazon’s cloud computing service. Of the two methods, Meltdown has caused the greatest concern. If a hacker were able to take advantage of it, Meltdown could give them access to the most secret areas of memory sitting between the operating system and the programs it runs. Apple says that vulnerability was all patched up in iOS 11.2, macOS 10.13.2 and tvOS 11.2.
On Monday, Apple announced that it also has patches to mitigate the Spectre vulnerability in iOS and macOS. Those of you who use iOS want to update to version 11.2.2 (check under Settings > General > Software Update). The update for macOS 10.13.2 is a supplemental Safari update, which you can find in the App Store under Updates.
In Apple’s words, Spectre’s techniques “are extremely difficult to exploit, even by an app running locally on a Mac or iOS device”, but “they can be potentially exploited in JavaScript running in a web browser”. The new updates improve Safari and Webkit to hopefully prevent someone from exploiting Spectre. Apple says that it’s continuing “to develop and test further mitigations within the operating system for the Spectre techniques”, and a tvOS update is coming. Apple Watch was unaffected by Meltdown and Spectre.
Because these vulnerabilities relate to a technique called speculative execution, which improves CPU performance by predicting future calculations that it might need to make, there’s been some concern that fixes are going to harm performance for everyone. Google and Amazon have reported that they have seen “negligible impact” from security fixes. And Apple writes that its “current testing indicates that the Safari mitigations have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark”. In other words, performance didn’t take a huge hit.
While other tech companies are gradually getting this mess cleaned up, Intel’s problems could just be getting started. The chip manufacturer was informed by researchers about the issues back in June. It’s standard practice to keep quiet about vulnerabilities until they’re patched, but Intel’s CEO sold off $US11 ($14) million worth of stock in November, just in time to avoid the controversy. That was the maximum he was allowed to sell as CEO according to The Motley Fool. An Intel spokesperson told Gizmodo last week that the sale was entirely “unrelated” to the dire situation that Intel finds itself in today. The New York Times reports that Krzanich will have a lot of questions to answer at CES today, as fears still linger that the patches that are trickling out won’t entirely solve the issue.
[Apple via TechCrunch]