Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Apple Releases Meltdown and Spectre Info and Updates

The tech world has been abuzz with discussion of Meltdown and Spectre, massive “speculative execution” security vulnerabilities recently discovered in the CPUs used by nearly all modern computing devices, including the Intel CPUs used in Macs and the ARM-based CPUs in iOS devices. Ars Technica has a good explanation of the problem and overview of the response from different companies.

Late last week, Apple posted a support note explaining the situation from the company’s perspective. In short, Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and claims that its changes resulted in no measurable reduction in performance. (Initial speculation suggested that blocking these vulnerabilities could cause a 5 to 30 percent performance hit.)

In that statement, Apple said that an upcoming release of Safari would mitigate the Spectre exploits with only a minimal performance impact. The company wasted no time, pushing out iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 (for OS X 10.11.6 El Capitan and 10.12.6 Sierra). All three updates “include security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).”

We strongly recommend installing these updates immediately, since the Spectre exploits can be implemented in JavaScript — in other words, any Web page could theoretically become a conduit to your computer or device being compromised.

On the Mac, it’s equally as important to make sure you’re running the latest version of Google Chrome (which updates itself; just quit and relaunch) and Firefox, along with any other Web browsers you use. Both Google and Mozilla have released interim updates and have more significant releases scheduled for the fourth week in January.

Apple says that the Apple Watch is unaffected by both Meltdown and Spectre.

All these updates are good, but note the word “mitigate” in Apple’s security notes, rather than the company’s usual “addressed” terminology. Spectre, in particular, is a subtle vulnerability, and we’ll likely be seeing additional protections worked into software over time.

In other words, staying up to date with the latest security updates from Apple is becoming ever more essential.

 

Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <http://smle.us/smile-tb>
 

Comments about Apple Releases Meltdown and Spectre Info and Updates

To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Receive comments via RSS
G. Douglas Eddy  2018-01-06 13:38
I hope they will have updates for those who haven't fallen off the cliff to High Sierra! There are lots of us out here who also need help!
Reply
Flash Sheridan  2018-01-08 09:04
And, more important, iOS 11, which would kill many still-useful apps, and optimal versions of apps which have gotten worse.
Reply
Randy Spydell  An apple icon for a TidBITS Angel 2018-01-06 17:33
I agree with Mr. Eddy. This security vulnerability is potentially serious enough that patches should be out promptly for those of us who have not yet chosen to endure macOS 10.13.x. And, perhaps a significant discount might be offered to those of us who would be willing to trade in our old-chip-containing devices for new ones containing secure chips once they become available. I assume they *WILL* become available someday . . .
Reply
I think this illustrates nicely why security updates should be issued separately form other (feature) updates and for OSes/software versions that date back at least 5 years, if not longer.

In today's world, not offering security updates to a legacy OS or software version essentially equates to planned obsolescence of the hardware it's running on.
Reply
Dennis B. Swaney  2018-01-08 22:43
And Apple's "planned obsolescence" scheme for iPhones just backfired on them big time. Apple really DOESN'T give a darn about their customers except as "cash cows"!
Reply
joestoner  2018-01-09 03:00
My 6S is not part of the low cost battery replacement scheme although its battery IS vulnerable. Anyone found a work around; I've spent hours "chatting" to a numb-nuts Apple "Advisor" with no resolution!
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2018-01-09 12:26
The iPhone 6s certainly should be covered; if you're going to send it in, just follow the instructions in the article on that topic:

http://tidbits.com/article/17708
Reply
Adam, I am confused about something: I just received a notice (via notifications, and then looking at the App store) from Apple about updating to Safari version 11.0.2 (I am running 10.12.6 - Sierra), but I already (supposedly) had Safari 11.0.2 installed in early December-2017. What is going on?
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2018-01-09 12:27
Apple's being a little funny about the Mac version numbers — they didn't release 10.13.3 either, but made it a supplemental update. I'm not sure why this is, but regardless, just let the App Store app install the new version.
Reply
Thanks so much Adam !!
Reply
Side note: The original Safari 11.0.2 had a different number in the parentheses (when invoking "About Safari"), now (after update) indicating version (12604.4.7.1.6). Both versions still indicate Safari 11.0.2.
Reply
B. Jefferson Le Blanc  2018-01-09 19:28
I just received a notification and went to the App Store—and downloaded Safari 11.0.2, with the 12604.4.7.1.6 sub-version number.

On a related note, on the Apple updates page, the macOS High Sierra 10.13.2 Supplemental Update is not listed, despite what page you link to suggests. I updated to macOS 10.13.2 just a few days ago on my test platform. I'll have to check back to see if a supplemental update is available in the App Store. I think by now, though, that that information may be out of date. In any case it's clear that Apple is as confused as we are about these problems.

I called Apple support a few days ago to see if they were working on patches for Sierra and El Capitan, since these OSs are still supposedly under the Apple security umbrella. The first person I talked to hadn't even heard of the problem, neither had her immediate superior. She contacted engineering and they had, fortunately, heard of it. She e-mailed me a link to an Apple article, https://support.apple.com/kb/HT208394, which basically said that Apple was working on a solution. Information on this subject is clearly a fast moving target, given the latest Safari update, which they promised was in the works. Of course that only solves part of the problem for Sierra and El Capitan, but it is progress of a sort.
Reply
L David Umbaugh  2018-01-13 15:48
Those of us with older iPhones and iPods (my iPod 2 for example) are also left out in the cold since IOS 9 is the latest version our devices will run.
Reply
To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Add a comment