We have recieved many concerns and questions regarding the nature of the latest two exploits. Here is more information on what they are exactly, what they do and what you need to do about it.
Two large security vulnerabilities, named Meltdown and Spectre, were revealed this month, when a research team unexpectedly shared the flaw publicly ahead of planned announcements. The security flaws were discovered a few months ago and privately revealed to chip companies, operating system developers and cloud computing companies who were all working to develop necessary security patches, mitigations and methods to work around the flaws. However, since the unexpected announcement, all the companies affected have been responding, somewhat in a disorderly manner. Apple’s prior security updates in early December had already proactively prevented some of the security risks posed via its latest software iterations iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates. Apple is now working on additional fixes to address any Spectre vulnerabilities that could affect the Safari browser.
What is Meltdown and what is Spectre?
Meltdown and Spectre are both security vulnerabilities that affect microprocessing chips. Meltdown was discovered independently by three different groups - researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Google’s Project Zero. Spectre was detected by both the Project Zero and independent researcher Paul Kocher.
Meltdown and Spectre are both security vulnerabilities. Modern high performance processors use speculative execution to maximize performance. This method however poses a risk where it is possible to figure out data belonging to another process or even the operating system, thus leaking information. Code that runs using this method could steal passwords or be even more damaging if used in tandem with other security flaws.
Meltdown and Spectre affect microprocessor chips created by Intel, AMD, ARM and other processor companies. They are both hardware flaws, posing greater security risks.
The Meltdown vulnerability allows a malicious program to read kernel memory, accessing data like passwords, emails, documents and photos. Meltdown can be exploited to read the entire physical memory of a targeted machine. Cloud-based services are particularly at risk for this and could result in hacking of data of millions of users if unprotected. Spectre uses two methods of exploitation and breaks isolation between different applications, making more applications vulnerable to manipulation and hacking.
How have companies responded?
Given that both Meltdown and Spectre are hardware-based flaws, operating system manufacturers are required to implement software workarounds.
Every major computing company ranging from microprocessor companies such as Intel, AMD and Arm to Google, Microsoft, Linux, Amazon and Apple has had to respond to this huge security flaw. Microsoft has been testing solutions since November. Intel has been hard hit by this security vulnerability as it affects processors manufactured today and as far back as 20 years. While Spectre affected every computing company, Meltdown really only affected Intel and ARM. Intel has offered an operating system level fix, but this could slow down computer performance significantly.
What action did Apple take?
Apple is a little different than other companies as it designs its own chips and sells devices that contain these chips. It also designs and develops its own operating system. Unlike some of the other companies that responded in vague terms with a lot of marketing filler content, Apple faced the issue directly.
Apple confirmed that both vulnerabilities affect all Mac and iOS devices. They also confirmed that there were no known exploits impacting customers at this time.
Manipulating these security vulnerabilities would require the download of a malicious software app. Apple recommends that users only download app software from trusted sources like the App Store.
Both Meltdown and Spectre do not affect the Apple Watch. Apple’s prior software releases for iOS 11.2, macOS 10.13.2, and tvOS 11.2 all protect against Meltdown.
Apple has shared that the Spectre vulnerability while being difficult to exploit, can be done using JavaScript in a web browser. Apple plans to release Safari updates for macOS and iOS to prevent Spectre-based exploits. Apple also intends to keep testing for Spectre and release mitigations in all future versions of iOS, macOS, tvOS, and watchOS.
Related Posts
The new Mac Pro Tower: Wheels optional
So happy to see that Apple is going back to its ability to allow users to upgrade and customize their Mac Pro tower experience. There was much much love for the old...
Thanks to our wonderful clients for a great 2018
I wanted to publicly share our new found direction in the following set of Immutable Laws that we now hold ourselves to here at Grove Technologies. We hope that this informs you,...
Back Up Before Upgrading to Mojave or iOS 12
Mac Backups On the Mac side, there are plenty of ways to back up, and a bootable duplicate made with SuperDuper or Carbon Copy Cloner is the best insurance right before you...
Top Features of iOS 12 to Take Advantage of Right Away
But iOS 12 offers more than just a speed boost. Apart from adding fripperies like new animoji, text effects, and camera effects in Messages and FaceTime, iOS 12 helps you use your...
Seriously Cool Features of macOS 10.14 Mojave You Won’t Want to Miss
Dark Mode and Dynamic Desktop In a major visual change, Mojave features a new Dark mode that reverses the standard black-on-white look with light gray text on a dark background throughout the...
When Should You Upgrade to macOS 10.14 Mojave, iOS 12, watchOS 5, and tvOS 12
(Note that we say when and not if. There’s no harm in delaying major operating system upgrades until Apple has had a chance to squash early bugs. But waiting too long puts...
How to Deal with macOS Server Losing Many of Its Services
At its peak, Server boasted 24 different Internet services, but since then Apple has pared down what it can do, such that recent versions of macOS Server offer only 13 services. Now,...
Sneak Preview of What’s Coming from Apple This Fall
macOS 10.14 Mojave Adds Dark Mode, Enhances the Finder, and Gains Four iOS Apps With the update to macOS, which Apple is calling “Mojave” after the southern California desert, the company is...
