Apple today posted the following support document regarding the Meltdown and Spectre security flaws. Here it is, verbatim:
About speculative execution vulnerabilities in ARM-based and Intel CPUs
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Background
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once — possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory — including that of the kernel — from a less-privileged user process such as a malicious app running on a device.
Meltdown
Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
Spectre
Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Source: Apple Inc.
Link to support document here.
MacDailyNews Take: So, there it is.
Now, which benchmarks are negatively impacted? For that, we wait for research from independent parties. (Because God only knows what Apple’s decided is in our best interest to keep secret.)
Intel et al. are going to try to sell us on a software bandaid instead of really fixing the problem properly. – MacDailyNews, January 4, 2018
SEE ALSO:
ARM security update suggests some iPhones, iPads, iPods and Apple TVs may be affected by CPU bug – January 4, 2018
Intel’s CEO Brian Krzanich sold off the majority of his shares after finding out about the irreparable chip flaws – January 4, 2018
CERT: Only way to fix Meltdown and Spectre vulnerabilities is to replace CPU – January 4, 2018
Security flaws put nearly every modern computing device containing chips from Intel, AMD and ARM at risk – January 4, 2018
Apple has already partially implemented fix in macOS for ‘KPTI’ Intel CPU security flaw – January 3, 2018
Intel’s massive chip flaw could hit Mac where it hurts – January 3, 2018
But speculative execution makes my computer feel Snappy
Well so much for the warm fuzzy secure feeling we have enjoyed all these years!!
And, please tell us how these issues negatively affected you in 2007 or 2009 or 2011 or 2013 or any other year since Apple started using Intel processors or started creating the A series chips. Please tell us all the gory details.
For thousands of years the super volcano known as Yellowstone could have blown up and taken a huge fraction of the western U.S. with it. But, no one knew of this issue until the last few decades. So for thousands of years, the threat existed, but no one was harmed. Since the threat has been known, no one has been directly harmed. For the next several decades likely no one will be harmed (except maybe those idiots that foolishly go where they should not and end up getting burned in a hot pool or a hot geyser).
This situation is similar. The flaws existed but no one knew of them for many, many years. They had no direct effect on anyone. Now we know they exist (and a some have know for about six months), but the worst that can happen is that one application can read pieces of what another application has in memory or read a piece of what the OS has in memory. With enough time and effort a nasty application can get several pieces of each of those.
However, neither Meltdown nor Specter will allow an application to force the OS to run nefarious programs. (If you have a nefarious Trojan on your Mac you’ve got bigger problems than either of these issues.)
Must Apple follow through and issue patches to all its OSes (other than watchOS as the Apple Watch CPU seems to be unaffected) to mitigate these as much as humanly possible? Yes. Absolutely. Apple should even look into doing an EFI update to patch things at the lowest level.
But, even saying that, should people be running around with their hair on fire claiming the world is coming to an end? No. Absolutely Not.
APOLOGIST.
Blasphemer! /s
This would be the Intel speediest processor bubble going pop, who is going to trust them? Meanwhile it should open the door to more Apple in-house processor talk and development.
Did you read the Apple press release? This affects any processor that employs speculative execution, which includes every processor designed in the last 15 years or more… not just Intel CPUs, but equally the Apple in-house processors.
And what’s stopping Apple, since it’s so relatively early in its product life and design, from designing around the flaws, just as AMD, had on 2 of 3. We just need to stop handing over all of tech to one supplier/manufacturer.
🤬F$&@?%?£king Apple and intel.
Billions in class action lawsuits because Apple did not disclose the flaw on same day it was discovered via user pop ups, I’m shorting AAPL and will authoring apple bashing articles calling apple stupid, incompetent, arrogant, too secretive and other whiner remarks.
You forgot the “/s” tag.
An of course the breaking news on CNN, is “All Macs and IOS devices by chip flaw”
Nothing mentioned about the millions of windows and android devices.
Nice
That’s because we never believed their bullshit about security, wait… they never gave us the bullshit Apple gave.
And still we will hold them accountable.
Apple never claimed to be 100% secure. Apple users (not so much the company) claimed its devices to be more secure than most of their competition. They are that, particularly for users who stay inside the “walled garden” and never download software from a potentially compromised source. While there have certainly been a fair number of Trojan exploits of one sort or another, there are hardly any examples of Apple users being hit by the sorts of viruses that have been endemic in the Windows universe. These two exploits, serious as they are, require running malware installed on the device.
Q’s point is that the media headlines are pointing the finger at Apple when the overwhelming majority of the affected processors are operating under non-Apple operating systems on non-Apple devices.
Users are part of the ecosystem… no?
Who handles communication at Apple? The first sentence of the public statement should have been something like, “Apple has already issued software updates to address yada yada yada… While the Intel chip flaw exists in Macs, Apple has already addressed the issue.”
But no. The first thing Apple says is, “Everything Apple makes is affected.”
And that’s the headline.
Idiots.
I think Apple makes fantastic products and services but can Apple PLEASE take reasonable steps to combat the irrational haters of the world?
“Everything Apple makes is affected” is the MDN headline. It is in the third sentence of the post https://support.apple.com/en-us/HT208394
I think candour is the way to go as it forces the other makers’ hand. They are unlikely to be as ready, willing and able to deal with the issue. Apple should gain credibility out of this.
How did this problem end up in the Arm chip design?
Hey, Back to the Future. LOL
PowerPC. or to the future AMD. Apple does have an in at AMD.
Since AMD processors are as fast or faster than Intel’s, they must also use speculative execution. They are therefore just as subject to this exploit as Intel, ARM, and Apple chips (and probably Power processors and possibly GPUs). Exploiting it may require a somewhat different approach, but the vulnerability is still there.
AMD seems to think differently. Almost.
https://www.cnbc.com/2018/01/03/amd-rebukes-intel-says-flaw-poses-near-zero-risk-to-its-chips.html
And just how is my PowerMac G5 affected, hmm?
Break out the G5’s!
I’ve heard Apple already released a patch for iOS but haven’t seen anything yet. You know, you gotta take this media fluff blowing everything out of proportion with a a grain of salt. The media are hit whores of the lowest scummy level. Don’t let them get to you. The sky isn’t falling.
I love how CNN reported this making it seems as though it was just an Apple issue and not inclusive of PC and everyone else. Boneheads.
Get to re-live the y2k type over hyping media responses and consumer hysteria 😉
good times, good times . . .
By media, I meant msm types