Apple has already partially implemented fix in macOS for 'KPTI' Intel CPU security flaw

Posted:
in Current Mac Hardware edited January 2018
After a public disclosure of a security flaw with nearly every Intel processor produced for the last 15 years, concern grew that a fix may take up to 30 percent of the processing power away from a system. But Apple appears to have at least partially fixed the problem with December's macOS 10.13.2 -- and more fixes appear to be coming in 10.13.3.




Multiple sources within Apple not authorized to speak on behalf of the company have confirmed to AppleInsider that there are routines in 10.13.2 to secure the flaw that could grant applications access to protected kernel memory data. These measures, coupled with existing programming requirements about kernel memory that Apple implemented over a decade appear to have mitigated most, if not all, of the security concerns associated with the flaw publicized on Tuesday.

Further confirming the fixes, developer Alex Ionescu has further identified the code that fixed the issue, and is calling it the "Double Map."

The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63

-- Alex Ionescu (@aionescu)


Our sources, as well as Ionescu, say that there are more changes in the macOS High Sierra 10.13.3 -- but both declined comment on what they may be, or what else is required to totally secure users.

AppleInsider is in the midst of comparative speed testing on a 2017 MacBook Pro. Early indications are that there are no notable slowdowns between a system running macOS High Sierra 10.13.1 and 10.13.2.

Mitigations by Linux code-base maintainers are underway, as are changes by Microsoft to protect Windows users. In response to a query, Microsoft told AppleInsider that they had no comment on a timetable of a release to fix the security flaw at this time, but kernel memory handling was altered by the company in Windows 10 beta builds in the end of 2017.

Potentially at risk from the flaw is anything contained in kernel memory, such as passwords, application keys, and file caches. Details surrounding the bug, and how to exploit it, are still under wraps.

Intel is unable to fix the flaw with a firmware update.

Aside from macOS, Microsoft's Windows and Linux are also open to the vulnerability. Beyond personal computers, some believe cloud services like Amazon EC2, Microsoft Azure and Google Compute Engine are impacted by the bug and will need to be updated.

Amazon has alerted its customers to a large security update coming to AWS in February. Microsoft's Azure service has a maintenance period scheduled for Jan. 10.

Comments

  • Reply 1 of 17
    racerhomie3racerhomie3 Posts: 1,264member
    This does it. I am selling my MacBook & changing to iPad Pro or 5 with a BT keyboard.
    arthurba
  • Reply 2 of 17
    loquiturloquitur Posts: 138member
    [comment moved]
    edited January 2018
  • Reply 3 of 17
    davendaven Posts: 731member
    Next up are the class action lawsuits for Apple getting an early start on fixes and not disclosing that they were fixing it.
    lkrupptdknoxrotateleftbytebadmonkkencwatto_cobrawilliamhlostkiwi
  • Reply 4 of 17
    sflocalsflocal Posts: 6,136member
    rob53 said:
    What about all the macs that can’t run 10.3.2? Did a security update fix those systems?
    Those Macs that can't run the current MacOS most likely are no longer by Apple.  
    edited January 2018
  • Reply 5 of 17
    larryalarrya Posts: 608member
    This does it. I am selling my MacBook & changing to iPad Pro or 5 with a BT keyboard.
    Ironic that the “post-PC era” would be hastened by Intel. 
    GG1chiaRayz2016arthurbapscooter63watto_cobralostkiwi
  • Reply 6 of 17
    loquiturloquitur Posts: 138member
    sflocal said:
    rob53 said:
    What about all the macs that can’t run 10.3.2? Did a security update fix those systems?
    Those Macs that can't run 10.13.2 most likely are no longer by Apple.  
    Using the 'dosdude1' patches, many older machines like the MacBook5,1 from 2008 can run 10.13.2 just fine.
    edited January 2018 chiamacseekeriSRSbrian greenarthurba
  • Reply 7 of 17
    racerhomie3racerhomie3 Posts: 1,264member
    larrya said:
    This does it. I am selling my MacBook & changing to iPad Pro or 5 with a BT keyboard.
    Ironic that the “post-PC era” would be hastened by Intel. 
    What are you using?
  • Reply 8 of 17
    macplusplusmacplusplus Posts: 2,116member
    Why everyone is so panicked?

    In order to exploit the flaw the "attacker gains physical access by manually updating the platform with a malicious firmware image through flash programmer physically connected to the platform’s flash memory. Flash Descriptor write-protection is a platform setting usually set at the end of manufacturing. Flash Descriptor write-protection protects settings on the Flash from being maliciously or unintentionally changed after manufacturing is completed.
    If the equipment manufacturer doesn't enable Intel-recommended Flash Descriptor write protections, an attacker needs Operating kernel access (logical access, Operating System Ring 0). The attacker needs this access to exploit the identified vulnerabilities by applying a malicious firmware image to the platform through a malicious platform driver."

    as explained by Intel:
    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

    In everyday's language, the attacker needs physical access to your computer's interior. And all the efforts for what? For accessing kernel VM pages into which macOS never puts critical information. Holding critical information in wired memory is the ABC of kernel programming in Apple programing culture. That wired memory is the one that cannot be paged to VM. When the computer is turned off no critical information resides anywhere in your storage media.
    edited January 2018 minicoffeechiatallest skilxzugeorgie01brian greenpscooter63bestkeptsecretbakedbananaswilliamlondon
  • Reply 9 of 17
    macxpressmacxpress Posts: 5,940member
    So you need to install 10.13 in order to get the update? Apple should be patching 10.12, perhaps 10.11 as well. My 2012 Mac Pro doesn't work very well with 10.13 so I went back to 10.12.
    arthurba
  • Reply 10 of 17
    MarvinMarvin Posts: 15,495moderator
    Why everyone is so panicked?

    In order to exploit the flaw the "attacker gains physical access by manually updating the platform with a malicious firmware image through flash programmer physically connected to the platform’s flash memory. Flash Descriptor write-protection is a platform setting usually set at the end of manufacturing. Flash Descriptor write-protection protects settings on the Flash from being maliciously or unintentionally changed after manufacturing is completed.
    If the equipment manufacturer doesn't enable Intel-recommended Flash Descriptor write protections, an attacker needs Operating kernel access (logical access, Operating System Ring 0). The attacker needs this access to exploit the identified vulnerabilities by applying a malicious firmware image to the platform through a malicious platform driver."

    as explained by Intel:
    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

    In everyday's language, the attacker needs physical access to your computer's interior. And all the efforts for what? For accessing kernel VM pages into which macOS never puts critical information. Holding critical information in wired memory is the ABC of kernel programming in Apple programing culture. That wired memory is the one that cannot be paged to VM. When the computer is turned off no critical information resides anywhere in your storage media.
    That's a different issue. Intel's statement on this issue is here:

    https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

    This issue is about user-level software being able to access kernel-level data. As Intel says, there are other attacks that do similar things:

    https://www.vusec.net/projects/anc/
    http://www.tomshardware.com/news/aslr-apocalypse-anc-attack-cpus,33665.html
    http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

    These try to bypass a security feature (ASLR), rather than being a direct security flaw:

    https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work

    One way they do it according to the Kaiser paper is to measure the timings between a memory access and error handler callback. When it hits the cache the timings change so they can figure out where the legitimate memory addresses are:

    https://gruss.cc/files/kaiser.pdf

    That paper suggests ARM isn't affected as it uses separate mapping method for user and kernel tables:

    "All three attacks have in common that they exploit that the kernel address space is mapped in user space as well, and that accesses are only prevented through the permission bits in the address translation tables. Thus, they use the same entries in the paging structure caches. On ARM architectures, the user and kernel addresses are already distinguished based on registers, and thus no cache access and no timing difference occurs. Gruss et al. and Jang et al. proposed to unmap the entire kernel space to emulate the same behavior as on the ARM architecture."

    According to Intel, it doesn't allow write access. Maybe it's possible to get read access to sensitive data, this seems to be the case given the system updates. They are trying to come up with an industry-wide solution. Maybe there's a way to obfuscate memory data using a random key like a bit-shift operation and hide the key. It might be too slow for some things but worthwhile for sensitive data like passwords and encryption keys, which don't need to be accessed frequently. OS developers can do this themselves.
    edited January 2018 loquiturGG1georgie01brian greenpscooter63bakedbananasneilmjony0
  • Reply 11 of 17
    Thanks Mike for your correction.
  • Reply 12 of 17
    loquitur said:
    sflocal said:
    rob53 said:
    What about all the macs that can’t run 10.3.2? Did a security update fix those systems?
    Those Macs that can't run 10.13.2 most likely are no longer by Apple.  
    Using the 'dosdude1' patches, many older machines like the MacBook5,1 from 2008 can run 10.13.2 just fine.
    I have the MacBook Pro 5,1 using the dosdude1's patch.  The MBP runs perfectly.
    loquiturbrian greenarthurbawatto_cobra
  • Reply 13 of 17
    iSRSiSRS Posts: 52member
    loquitur said:
    sflocal said:
    rob53 said:
    What about all the macs that can’t run 10.3.2? Did a security update fix those systems?
    Those Macs that can't run 10.13.2 most likely are no longer by Apple.  
    Using the 'dosdude1' patches, many older machines like the MacBook5,1 from 2008 can run 10.13.2 just fine.
    Thank you for this!!!! I will be doing this tonight to my iMac.

    EDIT: Nope. Mine has the incompatible Broadcom WiFi chip. Oh well...
  • Reply 14 of 17
    macplusplusmacplusplus Posts: 2,116member
    Marvin said:
    Why everyone is so panicked?

    In order to exploit the flaw the "attacker gains physical access by manually updating the platform with a malicious firmware image through flash programmer physically connected to the platform’s flash memory. Flash Descriptor write-protection is a platform setting usually set at the end of manufacturing. Flash Descriptor write-protection protects settings on the Flash from being maliciously or unintentionally changed after manufacturing is completed.
    If the equipment manufacturer doesn't enable Intel-recommended Flash Descriptor write protections, an attacker needs Operating kernel access (logical access, Operating System Ring 0). The attacker needs this access to exploit the identified vulnerabilities by applying a malicious firmware image to the platform through a malicious platform driver."

    as explained by Intel:
    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

    In everyday's language, the attacker needs physical access to your computer's interior. And all the efforts for what? For accessing kernel VM pages into which macOS never puts critical information. Holding critical information in wired memory is the ABC of kernel programming in Apple programing culture. That wired memory is the one that cannot be paged to VM. When the computer is turned off no critical information resides anywhere in your storage media.
    That's a different issue. Intel's statement on this issue is here:

    https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

    This issue is about user-level software being able to access kernel-level data. As Intel says, there are other attacks that do similar things:
    OK as The Register just mentions "the flaw" but cannot give any substantial info about it, we have to believe Intel that states there is no bug or flaw whatsoever.

    Apparently I posted a wrong technical note.

    AI must do a lot of more editing than me to correct all references to "silicon-level flaw" and alike right now  >:)
    edited January 2018
  • Reply 15 of 17
    arthurbaarthurba Posts: 156member
    AppleInsider is in the midst of comparative speed testing on a 2017 MacBook Pro. Early indications are that there are no notable slowdowns between a system running macOS High Sierra 10.13.1 and 10.13.2.
    Please include the same 'PostgreSQL SELECT' benchmark that The Register did on linux for direct comparison.
  • Reply 16 of 17
    There are serious problems running High Sierra in many enterprise environments that require significant money and infrastructure changes that are unlikely to happen quickly. Many security endpoints require upgrades. Those endpoints have backend server consoles that need to be upgraded and may be shared with PC's. It might not be a priority due to the PC's not requiring an updated endpoint. Also DEP infrastructure is required with 10.13.2 to enable MDM to be trusted and secure kernel extensions allowed to be installed via the MDM without prompting the end user to allow the installation of the secure kernel extension. Apple has not been forthcoming with communications about these changes, they just make the changes and expect everyone to adapt uniformly. 10.13.3 may lock down things and require DEP even more so. This is all fine and dandy, I want these things but cannot proceed because I have to wait on Corporate to implement these changes and go through a bloody red tape nightmare to get even close to getting everything working. Just so I can patch the Macs. If Apple would just release the updates for 10.12.x that would really be beneficial. If you aren't up to Sierra tough cookies, upgrade. I can deal with that because it can be done painlessly.
  • Reply 17 of 17
    SpamSandwichSpamSandwich Posts: 33,407member
    larrya said:
    This does it. I am selling my MacBook & changing to iPad Pro or 5 with a BT keyboard.
    Ironic that the “post-PC era” would be hastened by Intel. 
    It’s not just Intel. All of the major chip manufacturers have the same vulnerability.
Sign In or Register to comment.