“Apple has confirmed that all Macs, iPhones, iPads and other devices (bar Apple Watch) are vulnerable to the newly-revealed Spectre and Meltdown Intel, ARM and AMD processor vulnerabilities,” Jonny Evans writes for Computerworld. “Both Meltdown and Spectre take advantage of speculative execution to access privileged memory — including kernel memory — from a less-privileged user process such as a malicious app running on a device. In other words, it’s possible to use these exploits to get your data.”
“Though Apple and others in the industry all say this is very challenging and say that no known instances of use of these flaws have been seen. Yet,” Evans writes. “Apple says all its devices are vulnerable to the bugs, though Apple Watch is not susceptible to Meltdown.”
“The consequences of these revelations will reverberate for a while, I fear,” Evans writes. “The challenge exists not just in modern but also in older systems, and with millions of those still in use it seems inevitable hackers will create exploits to attack less secure devices… Here’s what you can do to protect yourself…”
Read more in the full article here.
MacDailyNews Take: Good luck, everyone!
The big question is where is performance negatively impacted by these software bandaids and by how much? For that, we wait for research from independent parties.
CERT: The only way to fix the Meltdown and Spectre vulnerabilities is to replace the CPU. Intel et al. are going to try to sell us on a software bandaid instead of really fixing the problem properly. Watch and see. https://t.co/OeC2AoPdlK #Intel #AMD #ARM
— MacDailyNews (@MacDailyNews) January 4, 2018
SEE ALSO:
Apple: All Mac systems and iOS devices are affected by Meltdown and Spectre security flaws – January 4, 2018
ARM security update suggests some iPhones, iPads, iPods and Apple TVs may be affected by CPU bug – January 4, 2018
Intel’s CEO Brian Krzanich sold off the majority of his shares after finding out about the irreparable chip flaws – January 4, 2018
CERT: Only way to fix Meltdown and Spectre vulnerabilities is to replace CPU – January 4, 2018
Security flaws put nearly every modern computing device containing chips from Intel, AMD and ARM at risk – January 4, 2018
Apple has already partially implemented fix in macOS for ‘KPTI’ Intel CPU security flaw – January 3, 2018
Intel’s massive chip flaw could hit Mac where it hurts – January 3, 2018
Just pull out the CPU and plug a new one in! 😎
Apple started soldering in the CPUs to save a penny. Funny how they could afford to use socketed CPUs when the Mac was important, but now they can’t. I guess they need that extra cash for all the High $ execs Timmy keeps hiring.
That and the extra 50,000 + Headcount. Exactly what do they do?
For you, Tim is Always the problem. You know- not business, but personal. I wonder why?…
Maybe it’s that picture where he is setting at his desk typing on an iPad with an iMac sitting on the same desktop.
He does not give a damn about the Mac- just iOS.
?quality=85&w=1100
CPUs not susceptible do not exist. Nobody will ever build fixed versions of any chip that is not still in production. These are fantasies like the battery that never degrades in performance with age.
Then security should never be sold as a feature…
Either should speed if it’s only good “when fresh”, or be advertised and claimed that way.
Agree with MDN.
Not looking to bankrupt these companies, but these companies have gotten enriched by selling defective goods. Not saying the defects were nessesarily negligence or covered up in this case either. It’s called owning it.
far even for you. These products are not defective and all major vendors have already patched the issue or will very soon. We should apply “reasonableness” to this situation.
And you just might be prematurely apologetic. Let’s see just how defective.
If you’re not willing to wait, I’m not willing to discuss.
All major systems have been partially patched against “some” methods of exploiting the hacks. The issue is to fully patch all known ways of utilizing the issues gets a 30% reduction ( or more depending of process age/speed) in CPU speed. Thus nobody has deployed a “full” patch.
Unfortunately, there is no safe computing platform at this point. New out-of-the-box won’t solve this problem. There are no processors that don’t have these flaws. This could freeze computer purchases for a while.
“That’s how they get you”
CERT, the cyber security project at Carnegie Mellon University sponsored by the U.S. government, on Friday withdrew its recommendation for the replacement of the central processing units (CPUs) of affected systems.
In the updated guidance, CERT said “operating system and some application updates mitigate these attacks.”
https://www.huffingtonpost.com/entry/apple-spectre-meltdown-chip-flaws-unsecure-web-browsing_us_5a4f8668e4b003133ec74f2e?ncid=inblnkushpmg00000009
Well, I’m going to use Leopard on my G5 until this gets sorted. /s
I guess soldering in the CPUs makes a CPU swap a non-starter.
Even if all the CPUs could be replaced many machines wouldn’t be able to support the spec of anything that was made. Even if every device with this issue could have a replacement fitted there is no way to practically replace the cpu of every single device made in the last x years, there’s not enough service centres on the planet to meet that sort of demand let alone the manufacturing capacity to make enough chips to go in that many products. Replacement is just pie in the sky.
Not expecting them to fix EOL HW, but the new stuff on the shelves is FUBAR and a lot of it has soldered in CPUs. Mac mini is but one example.
Past time for Apple to move to its own chip, wha’ it called? I forgot…y’all boys know.
All existing Apple CPUs (except Watch, apparently) have the same vulnerability. By the time their chips are fixed, so will Intel’s and AMD’s.
I think some people are getting overly worked up about this. As far as I can tell it’s not a bug that means anybody can all of a sudden get remote access to your device and access all your data. It’s not some imminent problem that’s going to stop all machines from working at midnight or something. From what I’ve read to actually exploit this is incredibly difficult so while all fixes that are possible should be applied, it’s not case of shutting off all devices that have the issue and replacing every CPU in existence.
Not to play down the importance of the issue, but it’s not as if every chip is demonstrably faulty and liable to shutdown and destroy the planet at any second.
People are talking about replacing CPUs, but that’s just nonsense. Even if it was as simple as popping the back off and sticking in a new chip in there aren’t the service centres to do it, there isn’t the manufacturing capacity to produce the number of chips required i.e. even if all capacity on the planet was devoted to it that would only effectively produce enough to replace the last year’s worth of devices.
All we can do is install the updates, and take the same precautions we always should have been really. That and be thankful we have Apple devices that are actually going to be updated rather than all the Android users who likely won’t ever get a fix because they don’t get updates as it is.
Watch out for the fear mongering malware/virus protection companies onslaught telling people how THEIR protection is better than Apple’s.
Who would you trust more . . Thirdware companies or Apple’s?
Apple already claimed better security for many years now. Yet this happens. Don’t blindly trust, demand proof.
Vigilance is your best patch (defense) against these threats. First and foremost.
Apple should update older versions of iOS with security patches.
And older versions of Mac OS X.
But, knowing Apple’s pitiful support, it won’t happen.
Makes me want to give up on all computers and cell phones.
And I wonder what other exploits are yet to be found?
Wouldn’t be surprised if some of these are backdoors put in purposely to help the CIA and NSA ‘protect’ us from the bad guys…
That’s precisely what is claimed here: https://twitter.com/brutalistPress/status/949974156669579265 There’s no software fix for compromised hardware.
All Macs? Does this include PowerPC Macs??
IBM provides patches for their Power7+, 8 and 9 processors. All of these processors are of course from well after Apple dumped PPC CPUs (which were Power5).
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
I was able to dig up an iffy statement that Power6 CPUs did NOT yet have Speculative Execution. That would make all PPC Macs IMMUNE.
https://forum.level1techs.com/t/list-of-cpus-most-likely-immune-to-spectre/123128
HISTORY:
IBM first wrote about Speculative Execution back in 1998. However, the original IBM base research was published in 1967. Oddly, IBM were late to the party integrating Speculative Execution into their own CPUs.
According to the article I posted 2 days ago, The Military INTEL has been monitoring everything since 1958. Change the chips – after they have found a deeper layer to hide in – but still monitor all activities locally on the CPUs. Only then will everyone feel pseudo-safe. The 3-letter acronyms still own you.
Could you please provide source information regarding your statements about military surveillance? Was it (unconstitutionally) applied to US citizens without warrants (IOW Pre-FISA?). Also, I’d enjoy reading your article if you would please provide a link. Tnx!
As if FISA is constitutional…
There are lame arguments that it is. But of course we know full well that they’re nothing more than a rubber stamping process for almost any request, including approval AFTER surveillance has already been done. There are less than a handful of denials from the FISC. IOW: I agree that FISA is unconstitutional with regard to how it has been used. It’s all part of the shameful abuse of the US Constitution by those who swore an oath to uphold and defend it.
IMHO it was the enablement of 9-11 by the US Neo-Conservatives (whom I call the Neo-Con-Jobs) that began this profound streak of corruption in MY government. They figure that if they can pull the wool over the eyes of We The People regarding what REALLY happened on 9-11 then they can pull anything. That streak of deceit toward We The People has most recently lead to our IDIOCRACY that is The Trump administration. Tell any LIE as long as its something the sheeple WANT to hear.
Firefox v57.0.4 contains Mozilla’s current fix for Spectre:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
We’re currently still waiting for the Spectre fix in Safari:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
Meltdown fixes? Apparently, that’s the more difficult problem. We wait and see…
👻💣
For what it’s worth, I read a post from a purported Intel engineer that claimed that the “flaws” were deliberate backdoors for intelligence agencies. Either that or their engineers are the most incompetent bastards in recent memory, I suspect the former.