December Apple updates fixed 'Meltdown' & 'Spectre' vulnerabilities on older Macs [u]
Updates released in early December should already have dealt with "Meltdown" and "Spectre" vulnerabilities on older Intel Macs, according to Apple's release notes -- but a late Friday retraction of the claim has shed some doubt on the situation.
Fixes for several Intel-related flaws were included in Security Update 2017-002 for Sierra, and Security Update 2017-005 for El Capitan. Apple yesterday confirmed that "mitigations" against Meltdown were implemented in macOS 10.13.2, iOS 11.2, and tvOS 11.2. watchOS is immune to the flaw.
Spectre remains a concern in Apple's Mac and iOS Web browser, Safari. That should be patched within the next few days, possibly even later on Friday.
The company is also developing broader fixes for iOS, macOS, tvOS, and watchOS, but it's unclear when those will be released to the public.
Both Meltdown and Spectre exploit a feature in Intel and ARM processors called "speculative execution," which calculates multiple instruction branches simultaneously, predicting which one is most likely to be used. On unpatched devices, the vulnerabilities can be used to access restricted memory spaces such as a kernel.
While some reports have claimed that fixes can slow down processors, Apple said its own testing has shown little if any impact.
Update: On Friday afternoon, Apple removed the section of the support document detailing the "Meltdown" patch for Sierra and El Capitan. AppleInsider has conflicting information on this from inside Apple, with some claiming that the security patch didn't have the Meltdown fix, and others claiming that the documentation withdrawal was performed in error.
At present, the security document states that there is no patch for Meltdown in Sierra and El Capitan, and AppleInsider suggests that device administrators proceed assuming that there is no protection from the attack at this time on machines with older operating systems. We will update this post accordingly should we get more information on the topic.
Fixes for several Intel-related flaws were included in Security Update 2017-002 for Sierra, and Security Update 2017-005 for El Capitan. Apple yesterday confirmed that "mitigations" against Meltdown were implemented in macOS 10.13.2, iOS 11.2, and tvOS 11.2. watchOS is immune to the flaw.
Spectre remains a concern in Apple's Mac and iOS Web browser, Safari. That should be patched within the next few days, possibly even later on Friday.
The company is also developing broader fixes for iOS, macOS, tvOS, and watchOS, but it's unclear when those will be released to the public.
Both Meltdown and Spectre exploit a feature in Intel and ARM processors called "speculative execution," which calculates multiple instruction branches simultaneously, predicting which one is most likely to be used. On unpatched devices, the vulnerabilities can be used to access restricted memory spaces such as a kernel.
While some reports have claimed that fixes can slow down processors, Apple said its own testing has shown little if any impact.
Update: On Friday afternoon, Apple removed the section of the support document detailing the "Meltdown" patch for Sierra and El Capitan. AppleInsider has conflicting information on this from inside Apple, with some claiming that the security patch didn't have the Meltdown fix, and others claiming that the documentation withdrawal was performed in error.
At present, the security document states that there is no patch for Meltdown in Sierra and El Capitan, and AppleInsider suggests that device administrators proceed assuming that there is no protection from the attack at this time on machines with older operating systems. We will update this post accordingly should we get more information on the topic.
Comments
https://support.apple.com/en-us/HT208331
Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
Edit:
Ooops apparently the link I clicked in the article refers to an old version of that note. The latest version does indeed mention only High Sierra. Entry added January 4, updated January 5.
Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
Entry updated January 5, 2018
No Sierra, no El Capitan mentioned.
Second, you don't have anything worth stealing if you can't afford a Late 2009 21.5" iMac for $250 on eBay.
https://spectreattack.com/spectre.pdf
The attacks generally rely on certain key features like cache flushes, shared memory spaces, high resolutions timers. The OS can break or lower the resolution of the high resolution timers by adding noise and have a flag that allows the user to reinstate them if needed. The vast majority of software won't need microsecond or smaller timing. The OS can manage memory sharing and check for repeated calls to CPU cache flushing. Different processes share CPU caches and an attack process can force the victim process to flush data into it and the high resolution timer checks if it worked as cached access is faster. At an extreme level, the OS may even be able to obfuscate the contents of secure memory using a key so that even if the memory is accessed, it needs a random key held in protected memory to decode it. The random key can be per process.
This is one of those security issues that it would have been better not to go public with. Hardly anyone would have ever figured out this vulnerability, let alone make working code. There should really be a tier of people who need to know about them including CPU manufacturers, OS developers, browser developers, large scale server deployments. Sharing exploit code publicly for such an obscure issue is not a very responsible thing to do.
Fortunately, it should still be difficult to pull off an attack because it requires some effort in finding the right shared function calls to be able to pull data into the CPU cache and it requires compromised code to get onto a victim's machine. App stores can screen for this kind of attack. Browsers are susceptible due to Javascript but again they can check for certain Javascript code and mess up the timers.
As many commentators point out, or should be, it’s just much simpler and more effective for criminals types to use phishing emails and other social engineering methods..