![\"Meltdown](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/meltdown-spectre-apple.png\")
<\/p>\n<\/p>\n
You’ve probably heard something about “Meltdown<\/strong>” and “Spectre<\/strong>,” perhaps even in the mainstream media, and you\u00a0likely\u00a0heard that it has something to do with an Intel security flaw.<\/p>\n But do you know how it affects your<\/em> Apple devices<\/strong>\u2014your Mac, iPhone, iPad, iPod touch, Apple Watch, or Apple TV\u2014and what actions you may need to take to stay safe?<\/p>\n Never fear, that’s why we’re here! It’s a complex problem, but we’ll break it down and share the main tidbits about these vulnerabilities you need to know as a user of Apple products.<\/p>\n On Monday, January 1, 2018, a developer blog, called “python sweetness,” brought to light<\/a>\u00a0an issue in which\u00a0“there is presently an embargoed security bug impacting apparently all contemporary CPU [central processing unit] architectures that implement virtual memory, requiring hardware changes to fully resolve.”<\/p>\n Macs, along with the vast majority of the world’s Windows and Linux PCs, use Intel processors.<\/p>\n As more information came to light in the subsequent days, it became clear that more than just Intel CPUs are affected; there are also implications for other processor architectures, including AMD processors as well as ARM-based processors like those\u00a0found in Apple’s iPhones and iPads.<\/p>\n It turns out that Intel and a handful of software development giants, among them Apple, Microsoft, and the Linux kernel developers, have known about the design flaw since at least November 2017 and have been working behind the scenes to prepare for a coordinated public disclosure and remediation of the issue. (At least, that was the plan until “python sweetness” and The Register brought the issue out of obscurity and into the public spotlight.)<\/p>\n “Meltdown” and “Spectre” are nicknames for techniques that can enable an attacker to access computer memory that shouldn’t be accessible; this is accomplished by abusing a technology called “speculative execution.”<\/p>\n Speculative execution is a processing feature that enables computing devices to run faster by predicting what will happen next in an app, and preemptively working toward multiple possible outcomes all at once.<\/p>\n The end result of leveraging Meltdown and Spectre could include leaks of sensitive data such as passwords and credit card information, among other things.<\/p>\n A vulnerability may be known by many names.<\/p>\n Perhaps the broadest term for the vulnerabilities in question would be “speculative execution vulnerabilities.”<\/p>\n “Meltdown<\/strong>” and “Spectre<\/strong>” are the main names that have caught on in association with this bug; each of these are\u00a0unique and will be described further in their own sections below.<\/p>\n When the story broke, it was at first being discussed online under the name KPTI<\/strong> in reference to Kernel Page-table Isolation<\/a>\u00a0(formerly called KAISER<\/strong>), a feature of the Linux kernel that mitigates the Meltdown vulnerability.<\/p>\n There’s also a not-safe-for-work nickname that was reportedly conceived by the Linux kernel team: F***WIT<\/strong> (which stands for “Forcefully Unmap Complete Kernel With Interrupt Trampolines”).<\/p>\n You may also see references to “CVE” numbers associated with these bugs. CVE stands for Common Vulnerabilities and Exposures, and CVE numbers are used for the purpose of tracking the same bug across multiple vendors and media outlets, as bugs tend to be described in many different ways and may have various nicknames.<\/p>\n Meltdown<\/strong>\u00a0is the nickname for one of\u00a0two major categories of exploits at this time. It\u00a0may also be referred to as the “rogue data cache load” technique, or CVE-2017-5754<\/a>.<\/p>\n Successful exploitation could allow an attacker’s code running in a user-privileged app to read kernel (superuser-privileged) memory.<\/p>\n Apple\u00a0said<\/a>\u00a0that its own\u00a0analysis suggested that the Meltdown exploitation technique “has the most potential to be exploited”\u00a0as compared with the Spectre exploitation techniques.<\/p>\n The other exploitation techniques are known collectively as Spectre<\/strong> (sometimes spelled Specter). The two techniques may be referred to as “bounds check bypass” or CVE-2017-5753<\/a>, and “branch target injection” or CVE-2017-5715<\/a>.<\/p>\n From Apple’s public statement<\/a>:<\/p>\n “Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.”<\/p><\/blockquote>\n In other words,\u00a0Web pages in an unpatched browser can potentially exploit Spectre.<\/p>\n If your Apple device is running one of the following operating systems, you’re already (at least partially) protected against Meltdown attacks:<\/p>\n Thus,\u00a0if you have an older version of macOS (or OS X), you’ll need to upgrade to macOS High Sierra version 10.13.2 or later\u00a0to protect against Meltdown attacks. (You may need to first\u00a0find out whether your Mac can be upgraded<\/a>.)<\/p>\n Apple has indicated that macOS High Sierra version 10.13.3 is in the works and will include further protections against Meltdown attacks, so be sure to install it when it becomes available.<\/p>\n Apple specifically claims<\/a>\u00a0“watchOS did not require mitigation” for Meltdown, while “watchOS is unaffected by Spectre.”<\/p>\n The company\u00a0has not offered further explanation as to why watchOS, which shares much of its codebase with iOS, allegedly does not require mitigations.<\/p>\n In short: If you use a third-party browser such as Firefox or Chrome, you’ll want to install any new updates that get released this month.<\/p>\n Firefox 57.0.4 is already out and includes mitigations for Spectre.\u00a0You can check for updates by going to the Firefox menu and selecting About Firefox, or you can download a fresh copy<\/a> of the app.<\/p>\n Meanwhile, Google isn’t planning to update Chrome until around January 23, according to Fortune<\/a>.\u00a0However, Chrome users who wish to be protected\u00a0can\u00a0follow a manual process<\/a>\u00a0to enable a Spectre mitigation (note, however, that doing so will increase Chrome’s memory consumption\u00a0by about 10\u201320%).<\/p>\n Until Apple and Google release patches,\u00a0it’s probably safest to\u00a0use Firefox 57.0.4 or later<\/a> on your Mac,\u00a0and avoid using Safari or Chrome for now.<\/p>\n As for iOS devices (iPhone, iPad, and iPod touch), there doesn’t seem to be a\u00a0safe alternative browser, so you’ll just have to wait patiently for Apple’s\u00a0forthcoming update. If you’re concerned, you\u00a0may wish to avoid\u00a0logging into sites or\u00a0entering any passwords or sensitive information\u00a0in\u00a0Safari or other mobile browsers for iOS, and instead opt to use your Mac for Web browsing until Apple updates iOS.<\/p>\n Editor’s Update, January 8:<\/strong> Apple has released security updates for macOS High Sierra, Safari and iOS\u00a0to mitigate Spectre.<\/p>\n macOS High Sierra 10.13.2 Supplemental Update<\/a> includes security improvements to Safari and Webkit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715). Apple notes, “Installing macOS High Sierra 10.13.2 Supplemental Update will update Safari to version 11.0.2 (13604.4.7.1.6) or version 11.0.2 (13604.4.7.10.6).”<\/p>\n Safari 11.0.2<\/a> is available for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2.<\/p>\n To check the version of Safari installed on your Mac:<\/p>\n iOS 11.2.2<\/a> is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. “iOS 11.2.2 includes security improvements to Safari and Webkit to mitigate the effects of Spectre,” according to\u00a0Apple’s security notice.<\/p>\n It\u00a0remains to be seen whether Apple will release EFI firmware updates for Macs to more fully address the issue closer to the hardware level.<\/p>\n Noting that Apple did not say anything about EFI in its public statement<\/a>, we reached out to Apple to inquire about whether EFI updates are forthcoming. Apple’s Todd Wilder responded\u00a0with the following statement:<\/p>\n In other words, if\u00a0Apple does\u00a0decide that it’s\u00a0necessary\u00a0to\u00a0release EFI firmware updates for\u00a0any\u00a0Macs, those updates would be bundled with a future\u00a0version of\u00a0macOS High Sierra or later, rather than published as a distinct and separate update.<\/p>\n Apple claims<\/a> that its Meltdown and Spectre mitigations do not cause such serious performance degradation.<\/p>\n According to Apple, the Meltdown mitigations already in place in macOS 10.13.2, iOS 11.2, and tvOS 11.2 “resulted in no measurable reduction in \u2026 performance.”<\/p>\n However, Apple\u00a0indicates that its upcoming mitigations for Spectre in Safari may have a performance impact of less than 2.5% in one particular benchmark, while other benchmarks see no measurable reduction in performance.<\/p>\n In short,\u00a0your Apple device\u00a0probably won’t feel slower as a result of Apple’s Meltdown and Spectre mitigations. (Your iOS device\u00a0might, however, feel slower for other reasons<\/a>.)<\/p>\n Absolutely. First of all, this is a developing story, so\u00a0expect further plot twists. It’s very likely that we\u00a0still don’t know all of the ramifications of the flaws in speculative execution processor technology.<\/p>\n If you own or support any Windows systems<\/strong>\u00a0(including if you run Windows\u00a0on your Mac, either via Boot Camp or via virtual machine software such as VMware Fusion, Parallels Desktop, or Oracle VirtualBox), be sure to install the latest Windows updates from Microsoft. Windows PCs\u00a0may also need BIOS\/UEFI firmware updates in order to be better protected. Not all PC manufacturers have given information about which PC models will be receiving updates, and some older PCs simply won’t be getting BIOS updates.\u00a0If you’re running Windows\u00a0via a virtual machine on\u00a0your Mac, check with your\u00a0VM vendor to see whether\u00a0a new version\u00a0may be needed\u00a0(VMware has released a public statement<\/a>, but Parallels and Oracle have not yet).<\/p>\n If you’d like to learn more about\u00a0the\u00a0speculative execution vulnerabilities, the following resources may be useful:<\/p>\n The world’s public knowledge about speculative execution vulnerabilities is only just beginning to blossom. As more brilliant minds begin exploring potential avenues for exploitation, it’s likely that more patches will be needed, so subscribe to The Mac Security Blog<\/strong>, the Intego Mac Podcast<\/a><\/strong>, and Intego’s YouTube channel<\/a><\/strong> to make sure you don’t miss any important news!<\/p>\n We’d love to hear your comments!<\/p>\n Why do you suppose Apple used different language about watchOS, saying that it “did not require mitigation” for Meltdown, while it “is unaffected by Spectre”?<\/p>\n Are there any other potential impacts of Meltdown and Spectre about which you feel Apple product users should be aware?<\/p>\n Discuss in the comments below, and be sure to share this article with your friends.<\/p>\n And after you listen to the upcoming podcast, feel free to write in with questions; you could win a $25 gift certificate<\/strong> or another great prize! For details, subscribe<\/a> and listen to the upcoming January 10 episode. You’ve probably heard something about “Meltdown” and “Spectre,” perhaps even in the mainstream media, and you\u00a0likely\u00a0heard that it has something to do with an Intel security flaw. But do you know how it affects your Apple devices\u2014your Mac, iPhone, iPad, iPod touch, Apple Watch, or Apple TV\u2014and what actions you may need to take to […]<\/p>\n","protected":false},"author":14,"featured_media":74059,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[151,5],"tags":[3868,3865,3862,3853,3856,4712,143],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\nWhat\u00a0are Meltdown and Spectre?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/Intel-i7-via-flickr_com-photos-intel_de-9662276651-300x300.jpg\")
The Register published an article<\/a>\u00a0the following day\u00a0that emphasized the design flaw with regard to Intel processors, and from there snowballed into a worldwide discussion about a serious flaw in Intel CPUs that had major security implications.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/Meltdown-Spectre-1024x570.png\")
<\/p>\nWhat do all these names mean?<\/h3>\n
What is Meltdown?<\/h3>\n
What is Spectre?<\/h3>\n
Is my Apple device safe from Meltdown?<\/h3>\n
\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/psp-mini-hero-macos-high-sierra-whats-new_2x-150x150.png\")
It’s important to note that Apple often releases security-only updates for the two previous versions of macOS, in this case Sierra and El Capitan. However, Apple has not given\u00a0any indication\u00a0that updates for Sierra or El Capitan are forthcoming.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/Apple-Watch-Security-cropped-100x150.png\")
According to Apple, “Apple Watch is not affected by either Meltdown or Spectre.”<\/p>\nIs my Apple device safe from Spectre?<\/h3>\n
no, not yet<\/strong><\/del> (see editor’s update below for details).<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/12\/Safari-iOS-icon-150x150.png\"){kind=icon}
Apple is planning to release a Safari update for both macOS and iOS “in the coming days,” so stay tuned for that. Once the updates are available, you’ll find the Mac update in the Mac App Store app under Updates, and you’ll find the iOS update in the Settings<\/strong> app under General<\/strong> > Software Update<\/strong>.<\/p>\n\n
Will Apple update Macs’ EFI firmware?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/Apple_logo_black-122x150.png\"){kind=logo}
“We no longer distinguish between EFI updates and OS updates for the Mac. We will be applying mitigations wherever in the stack it is necessary, and customers will receive those updates in the form of macOS updates.”<\/p><\/blockquote>\nWill my device be slower after I update?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/11\/antivirus-scanning-slow-mac-150x83.jpg\")
Early\u00a0reports suggested<\/a> that by disabling speculative execution functionality, certain system functions may be anywhere from 5 to 30\u00a0percent\u00a0slower.<\/p>\nIs there anything else I should know?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/Intego-Podcast-A.png\")
<\/a>There’s a special episode of the Intego Mac Podcast<\/a><\/strong> coming next Wednesday, January 10, in which Kirk McElhearn and I further discuss the topic and explain what speculative execution means. Be sure to\u00a0subscribe now<\/strong>\u00a0in iTunes\/Podcasts<\/a>\u00a0or in your favorite podcatcher to make sure you get the Meltdown\/Spectre episode when it becomes available.<\/p>\n![\"Apple's](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/Windows-BSOD-Apple-icon-150x150.png\"){kind=icon}
Note that systems running Windows 7 (or Server 2008 R2)<\/a>\u00a0or\u00a0Windows 8.1 (or Server 2012 R2)<\/a>\u00a0may need to manually download and apply the patch, since it may not\u00a0appear in Windows Update; meanwhile,\u00a0Windows 10 (and Server 2016)<\/a>\u00a0users should get the update as part of the usual patch cycle. Make sure your Windows anti-virus is fully up to date before you install the Windows patches.<\/p>\nAdditional Resources<\/h3>\n
\n
Final Thoughts<\/h3>\n
![\"xkcd](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/01\/xkcd-1938_meltdown_and_spectre_2x-1024x987.png\")
\nImage credit: xkcd #1938<\/a> by Randall Munroe<\/p>\nWhat are your thoughts?<\/h3>\n
\nIntel processor image credit: Intel in Deutschland<\/a>. Meltdown and Spectre logos by Natascha Eibl<\/a> via meltdownattack.com<\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"