December Apple updates fixed 'Meltdown' & 'Spectre' vulnerabilities on older Macs [u]

Posted:
in Current Mac Hardware edited January 5
Updates released in early December should already have dealt with "Meltdown" and "Spectre" vulnerabilities on older Intel Macs, according to Apple's release notes -- but a late Friday retraction of the claim has shed some doubt on the situation.




Fixes for several Intel-related flaws were included in Security Update 2017-002 for Sierra, and Security Update 2017-005 for El Capitan. Apple yesterday confirmed that "mitigations" against Meltdown were implemented in macOS 10.13.2, iOS 11.2, and tvOS 11.2. watchOS is immune to the flaw.

Spectre remains a concern in Apple's Mac and iOS Web browser, Safari. That should be patched within the next few days, possibly even later on Friday.

The company is also developing broader fixes for iOS, macOS, tvOS, and watchOS, but it's unclear when those will be released to the public.

Both Meltdown and Spectre exploit a feature in Intel and ARM processors called "speculative execution," which calculates multiple instruction branches simultaneously, predicting which one is most likely to be used. On unpatched devices, the vulnerabilities can be used to access restricted memory spaces such as a kernel.

While some reports have claimed that fixes can slow down processors, Apple said its own testing has shown little if any impact.

Update: On Friday afternoon, Apple removed the section of the support document detailing the "Meltdown" patch for Sierra and El Capitan. AppleInsider has conflicting information on this from inside Apple, with some claiming that the security patch didn't have the Meltdown fix, and others claiming that the documentation withdrawal was performed in error.

At present, the security document states that there is no patch for Meltdown in Sierra and El Capitan, and AppleInsider suggests that device administrators proceed assuming that there is no protection from the attack at this time on machines with older operating systems. We will update this post accordingly should we get more information on the topic.

Comments

  • Reply 1 of 15
    Call me a noob, but it looks like the specific Meltdown issue id, CVE-2017-5754 is only mentioned in the release notes of the Apple security update for High Sierra, not Sierra or El Capitan?
    edited January 5 watto_cobraivanh
  • Reply 2 of 15
    macplusplusmacplusplus Posts: 1,259member
    Peerke said:
    Call me a noob, but it looks like the specific Meltdown issue id, CVE-2017-5754 is only mentioned in the release notes of the Apple security update for High Sierra, not Sierra or El Capitan?
    It is available for Sierra and El Capitan:
    https://support.apple.com/en-us/HT208331

    Kernel

    Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    Edit:

    Ooops apparently the link I clicked in the article refers to an old version of that note. The latest version does indeed mention only High Sierra. Entry added January 4, updated January 5.

    edited January 5 watto_cobra
  • Reply 3 of 15
    technotechno Posts: 659member
    Please clear this up for me. Everything report I see on the news is that the Spectre vulnerability is a hardware issue that can only be fixed by replacement. How could Apple patch this by an update?
    ivanh
  • Reply 4 of 15
    macplusplusmacplusplus Posts: 1,259member
    techno said:
    Please clear this up for me. Everything report I see on the news is that the Spectre vulnerability is a hardware issue that can only be fixed by replacement. How could Apple patch this by an update?
    The news are wrong.
    watto_cobra
  • Reply 5 of 15
    Peerke said:
    Call me a noob, but it looks like the specific Meltdown issue id, CVE-2017-5754 is only mentioned in the release notes of the Apple security update for High Sierra, not Sierra or El Capitan?
    It is available for Sierra and El Capitan:
    https://support.apple.com/en-us/HT208331

    Kernel

    Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    If I follow your link, I get this:

    Kernel

    Available for: macOS High Sierra 10.13.1

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    Entry updated January 5, 2018


    No Sierra, no El Capitan mentioned.

    watto_cobra
  • Reply 6 of 15
    macplusplusmacplusplus Posts: 1,259member
    Peerke said:
    Peerke said:
    Call me a noob, but it looks like the specific Meltdown issue id, CVE-2017-5754 is only mentioned in the release notes of the Apple security update for High Sierra, not Sierra or El Capitan?
    It is available for Sierra and El Capitan:
    https://support.apple.com/en-us/HT208331

    Kernel

    Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    If I follow your link, I get this:

    Kernel

    Available for: macOS High Sierra 10.13.1

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    Entry updated January 5, 2018


    No Sierra, no El Capitan mentioned.

    You're rigth, I already edited my post you quoted. AI article links to an old version of that note.
    watto_cobra
  • Reply 7 of 15

    Kernel

    Available for: macOS High Sierra 10.13.1

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    Entry updated January 5, 2018


    No Sierra, no El Capitan mentioned.

    You're rigth, I already edited my post you quoted. AI article links to an old version of that note.
    So this basically means Meltdown is not fixed for Sierra and El Capitan, agreed?
  • Reply 8 of 15
    macplusplusmacplusplus Posts: 1,259member
    Peerke said:

    Kernel

    Available for: macOS High Sierra 10.13.1

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    Entry updated January 5, 2018


    No Sierra, no El Capitan mentioned.

    You're rigth, I already edited my post you quoted. AI article links to an old version of that note.
    So this basically means Meltdown is not fixed for Sierra and El Capitan, agreed?
    According to Apple's support document updated January 5, CVE-2017-5754 is fixed for High Sierra only. A patch for Sierra and El Capitan may be in the works, or may not be needed at all.
    watto_cobra
  • Reply 9 of 15

    Update: On Friday afternoon, Apple removed the section of the support document detailing the "Meltdown" patch for Sierra and El Capitan. AppleInsider has conflicting information on this from inside Apple, with some claiming that the security patch didn't have the Meltdown fix, and others claiming that the documentation withdrawal was performed in error.

    At present, the security document states that there is no patch for Meltdown in Sierra and El Capitan, and AppleInsider suggests that device administrators proceed assuming that there is no protection from the attack at this time on machines with older operating systems. We will update this post accordingly should we get more information on the topic.
    And especially not loosen the Gatekeeper protection with the false assumption that El Capitan or Sierra are not affected or are patched. That may be the reason Apple has withdrawn the previous entry regarding El Cap and Sierra patch: if there are doubts on the effectiveness of the patches or if those need further and more rigorous testing, Apple may have withdrawn the entry to prevent an early relaxation on the users that would end up with loosening the more effective and system-wide Gatekeeper protection.
    edited January 5
  • Reply 10 of 15
    j05j05 Posts: 1member
    So, instead of helping anyone with say, a perfectly good, functioning OS 10. 7.5, Apple is implying that the only solution is to buy a brand new $2,000 or whatever new MAC? You've got to be kidding me!
  • Reply 11 of 15
    nhtnht Posts: 4,037member
    j05 said:
    So, instead of helping anyone with say, a perfectly good, functioning OS 10. 7.5, Apple is implying that the only solution is to buy a brand new $2,000 or whatever new MAC? You've got to be kidding me!
    First, you can buy a 8-9 year old Mac (2009/2010 or newer can run High Sierra) to replace your "perfectly good" 10+ year old Mac and not spend $2000.

    Second, you don't have anything worth stealing if you can't afford a Late 2009 21.5" iMac for $250 on eBay.
  • Reply 12 of 15
    lukeilukei Posts: 297member
    techno said:
    Please clear this up for me. Everything report I see on the news is that the Spectre vulnerability is a hardware issue that can only be fixed by replacement. How could Apple patch this by an update?
    The media is wrong. Might make you wonder how often that is the case!
  • Reply 13 of 15
    ivanhivanh Posts: 114member
    techno said:
    Please clear this up for me. Everything report I see on the news is that the Spectre vulnerability is a hardware issue that can only be fixed by replacement. How could Apple patch this by an update?
    absolutely.
  • Reply 14 of 15
    MarvinMarvin Posts: 14,148moderator
    techno said:
    Please clear this up for me. Everything report I see on the news is that the Spectre vulnerability is a hardware issue that can only be fixed by replacement. How could Apple patch this by an update?
    There is example code at the end of the Spectre paper:

    https://spectreattack.com/spectre.pdf

    The attacks generally rely on certain key features like cache flushes, shared memory spaces, high resolutions timers. The OS can break or lower the resolution of the high resolution timers by adding noise and have a flag that allows the user to reinstate them if needed. The vast majority of software won't need microsecond or smaller timing. The OS can manage memory sharing and check for repeated calls to CPU cache flushing. Different processes share CPU caches and an attack process can force the victim process to flush data into it and the high resolution timer checks if it worked as cached access is faster. At an extreme level, the OS may even be able to obfuscate the contents of secure memory using a key so that even if the memory is accessed, it needs a random key held in protected memory to decode it. The random key can be per process.

    This is one of those security issues that it would have been better not to go public with. Hardly anyone would have ever figured out this vulnerability, let alone make working code. There should really be a tier of people who need to know about them including CPU manufacturers, OS developers, browser developers, large scale server deployments. Sharing exploit code publicly for such an obscure issue is not a very responsible thing to do.

    Fortunately, it should still be difficult to pull off an attack because it requires some effort in finding the right shared function calls to be able to pull data into the CPU cache and it requires compromised code to get onto a victim's machine. App stores can screen for this kind of attack. Browsers are susceptible due to Javascript but again they can check for certain Javascript code and mess up the timers.
  • Reply 15 of 15
    Has ANYONE seen either of these attack vectors actually being used? It seems that it’s tough to get useful information even if you use these attack methods. The smartest people around took 20years to  notice these even existed. 
    As many commentators point out, or should be, it’s  just much simpler and more effective for criminals types to use phishing emails and other social engineering methods..
Sign In or Register to comment.