“If your Apple device is running one of the following operating systems, you’re already (at least partially) protected against Meltdown attacks: macOS 10.13.2 or later; iOS 11.2 or later; tvOS 11.2 or later; watchOS,” Joshua Long writes for Intego. “It’s important to note that Apple often releases security-only updates for the two previous versions of macOS, in this case Sierra and El Capitan. However, Apple has not given any indication that updates for Sierra or El Capitan are forthcoming.”
“Thus, if you have an older version of macOS (or OS X), you’ll need to upgrade to macOS High Sierra version 10.13.2 or later to protect against Meltdown attacks,” Long writes. “Apple has indicated that macOS High Sierra version 10.13.3 is in the works and will include further protections against Meltdown attacks, so be sure to install it when it becomes available. According to Apple, “Apple Watch is not affected by either Meltdown or Spectre.””
“Is my Apple device safe from Spectre? In short: no, not yet (except for Apple Watch),” Long writes. “Until Apple and Google release patches, it’s probably safest to use Firefox 47.0.4 or later on your Mac, and avoid using Safari or Chrome for now. As for iOS devices (iPhone, iPad, and iPod touch), there doesn’t seem to be a safe alternative browser, so you’ll just have to wait patiently for Apple’s forthcoming update.”
Much more info in the full article – recommended – here.
MacDailyNews Take: The big question remains is how much performance negatively impacted by these software bandaids? For that, we wait for research from independent parties.
CERT: The only way to fix the Meltdown and Spectre vulnerabilities is to replace the CPU. Intel et al. are going to try to sell us on a software bandaid instead of really fixing the problem properly. Watch and see. https://t.co/OeC2AoPdlK #Intel #AMD #ARM
— MacDailyNews (@MacDailyNews) January 4, 2018
SEE ALSO:
How Apple product users can protect themselves against Spectre and Meltdown CPU flaws – January 5, 2018
Apple: All Mac systems and iOS devices are affected by Meltdown and Spectre security flaws – January 4, 2018
ARM security update suggests some iPhones, iPads, iPods and Apple TVs may be affected by CPU bug – January 4, 2018
Intel’s CEO Brian Krzanich sold off the majority of his shares after finding out about the irreparable chip flaws – January 4, 2018
CERT: Only way to fix Meltdown and Spectre vulnerabilities is to replace CPU – January 4, 2018
Security flaws put nearly every modern computing device containing chips from Intel, AMD and ARM at risk – January 4, 2018
Apple has already partially implemented fix in macOS for ‘KPTI’ Intel CPU security flaw – January 3, 2018
Intel’s massive chip flaw could hit Mac where it hurts – January 3, 2018
“The big question remains is how much performance negatively impacted by these software bandaids?”
Now that would also depend on the age of the battery, no? Oops! Did I say that out loud? /s
Can’t update to High Sierra or my software stops working. Talk about a rock and a hard place.
I am with you, Spy. I updated my laptop, and a few critical pieces of software stopped working, most importantly font management. This has kept me from updating my desktop, a 10 year old Power Mac.
New updates this morning. macOS 10.13.2 (new version) and iOS 11.2.2.
Downloaded the updates. Don’t see any slowing down but I’m not a power user. Do have 3 security cameras on one monitor while I surf on the other monitor. Late 12 MacMini quad i7.
When will High Sierra work with my Fusion drive…does anyone know?
I an not looking for an argument, this is a sincere question.
I use 10.11.6 on a Mac Pro (Early 2008) that I can not upgrade, and iOS 9.3.5 on an iPhone 5S that I will not upgrade because in the past doing so has slowed other iPhones I’ve owned.
So yes, I use older technology but it still works (knock on wood). The question is will Apple choose to release security-only updates or will I (and others) be left vulnerable until we buy new hardware ?
The best technical discussion of this issue that I have seen came out in Ars Technica over the weekend.
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
They conclude that because Apple controls the whole enchilada (hardware, OS, and much other software), it is in a better position to deal with this problem than other vendors. It also benefits from already using a page-memory scheme that is relatively difficult to subvert.
This is not yet a critical problem, incidentally. There is no malware in the wild yet exploiting either of the speculative execution bugs. Writing one would require sophisticated system programming skills at the machine instruction level that the garden-variety applications programmer or hacker would be relatively unlikely to possess.
Even if such malware existed, it would have to be installed on the user’s device with the owner’s consent (if not necessarily his informed consent). With all the patches in the pipeline, it may not be worth a hacker’s time to develop an exploit until the situation settles down and all the fixes are revealed.
The Apple updates that have already come out, with those released today, plug almost all of the vulnerabilities. They do impose a performance penalty for an obvious reason—they prevent the device from taking full advantage of speculative execution that tests arrays before they are needed. Unrestricted speculative execution was instituted to speed things up, so if it is constrained those advantages are reduced. That is simply unavoidable, although the devices will still run far faster than chips that have no speculative execution at all.
Apple’s history is to plug serious security flaws for about two major revisions in the past. They cannot be expected to reassemble an old programming team to fix software that was replaced many years ago. So those users are theoretically at risk, but why would a hacker devote considerable resources to exploiting such a small audience?
Okay, break it down for a dummy –
If the problem is in the chip (and we all know it is), and the fix will be in software, presumably at a deep root level, how is Firefox more secure to use right now than Safari? That answer may be in the full article, but if so, that part should have been pulled out and shared by MDN.
There is a small possibility that someone could write malware that executed in JavaScript within a browser. Firefox has already released its fix; Safari’s will be out shortly.
So the only way it is even a risk is through JS malware in a browser? I guess that’s less risk in the first place than I was lead to believe. (I was also hearing about big picture virtual machine issues on cloud servers – none of those are Apple devices, I guess, so our possible concerns are much less significant.)
Thanks!
There are two related vulnerabilities. One can be accessed through the browser. The other can’t. Both require that the compromised software be running locally on the vulnerable machine. However, that could be either your local device or a remote software server.
With VERY few exceptions, every CPU designed in the last 20 years employs speculative execution and is therefore vulnerable. Cloud servers on Linux are at just as much risk as anything Apple makes. Both will require patches to reduce the threat to an acceptable level.
Any fix, even hardware replacement, will involve at least a minor performance hit because speculative execution cannot run as efficiently as without the fix.
See, the switch from IBM PowerPC to Intel x86 came back to haunt us 😜😱😲😏😖
No, poor memory management haunts us on almost all chips. Apple themselves made the mistake on every one of their A series chips.
Apple isn’t going back to IBM or risc chips for the Mac. IBM is a dead company walking, definitely not interested in consumer manufacturing. Worse, the beancounters at Apple are too stupid to invest in the Mac.
It doesn’t have to be this way, of course. Some of us wish Apple could have just bought AMD and owned the vertical integration, but the Intel switch happened before Apple had more money than all the gods combined. Now that Apple has the money, they have focused on fashion and miniaturization over all else. Ergo, Macs haven’t been managed to be a growing part of the business since idiot Cook was allowed to take over.
Latest Mac market share remains single digits. Apple knows the Mac now would completely die without Intel compatibility. There are just too many apps optimized for Windows. I don’t know the latest count, but of the few percent of Mac users in the world, more than half of them (almost all business users) use bootcamp or VM Ware or Parallels or CrossOver or whatever to run critical Windows programs. Why Apple hasn’t mounted a dedicated effort to seek and fill these holes is beyond us all. Cook is too stupid to keep the Mac platform healthy. While singing praises of closed walled garden app stores for all other Apple hardware, the Mac gets no love, no dedicated attention to incentivizing development of the best apps for the Mac. It’s as if Cook thinks that everyone will sign up to the disgusting insecure slow costly vision of cloud computing, where big brother controls all and users have no PERSONAL computing device whatsoever. That future sounds infinitely worse than Spectre.
But we digress…
Predictive calculations security goofs affects Apple designed chips too. The right thing for Apple to do in the immediate future is spend the next 3 years pushing out superior software and a more developer friendly Mac App Store that allows trial-ware. Intel will have fixed all its chips by this time next year. The question is how many years it will take Apple’s skeleton crew working on the Mac to put it in new Mac models. All new Mac models free from any Ive influence.
I’m still running Mavericks. Has Apple totally stopped supporting it?
(I can upgrade to the latest OS but I can’t stand the ugly icons and the way they neutered the disk utility)…