Apple late yesterday posted a new support document covering Meltdown and Spectre which are the two CPU vulnerabilities that affect Intel and other CPUs. It confirms that if you are running iOS 11.2, macOS 10.13.2, and tvOS 11.2, you don’t have to worry about the Meltdown vulnerability because they fixed that when this issue wasn’t widely known. Additional fixes are coming to Safari in the near future to defend against the “Spectre” vulnerability.
Now those of you who noted that iOS and tvOS are on the list, and concluded that iPhone, iPads and Apple TV’s are affected by this issue. Good catch.
Now one thing that isn’t clear is if these vulnerabilities have been addressed in older versions of iOS and Mac. In the case of the Mac there were security updates for older versions of macOS released alongside macOS 10.13.2, so it’s possible fixes are already available for Sierra and El Capitan. But I would say that the safest thing to do is to update your Mac, or any of your Apple devices to the latest version of whatever OS they use to be safe.
UPDATE: I just found this document that says that these fixes are also in security updates for macOS Sierra and El Capitan. Specifically:
Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
UPDATE #2: Strangely, this document which this morning said Sierra and macOS Sierra and El Capitan has the fixes for this vulnerability (and I copied and pasted that in my first update) has since been altered to exclude these two operating systems. Thus it’s unclear if the fixes for this vulnerability are there for those two operating systems or not. On top of that, this document now references watchOS and the fact that it didn’t require any fixes.
Like this:
Like Loading...
Related
This entry was posted on January 5, 2018 at 8:49 am and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Apple Posts Support Doc Saying That They’re Affected By The Epic Intel CPU Vulnerability
Apple late yesterday posted a new support document covering Meltdown and Spectre which are the two CPU vulnerabilities that affect Intel and other CPUs. It confirms that if you are running iOS 11.2, macOS 10.13.2, and tvOS 11.2, you don’t have to worry about the Meltdown vulnerability because they fixed that when this issue wasn’t widely known. Additional fixes are coming to Safari in the near future to defend against the “Spectre” vulnerability.
Now those of you who noted that iOS and tvOS are on the list, and concluded that iPhone, iPads and Apple TV’s are affected by this issue. Good catch.
Now one thing that isn’t clear is if these vulnerabilities have been addressed in older versions of iOS and Mac. In the case of the Mac there were security updates for older versions of macOS released alongside macOS 10.13.2, so it’s possible fixes are already available for Sierra and El Capitan. But I would say that the safest thing to do is to update your Mac, or any of your Apple devices to the latest version of whatever OS they use to be safe.
UPDATE: I just found this document that says that these fixes are also in security updates for macOS Sierra and El Capitan. Specifically:
Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
UPDATE #2: Strangely, this document which this morning said Sierra and macOS Sierra and El Capitan has the fixes for this vulnerability (and I copied and pasted that in my first update) has since been altered to exclude these two operating systems. Thus it’s unclear if the fixes for this vulnerability are there for those two operating systems or not. On top of that, this document now references watchOS and the fact that it didn’t require any fixes.
Share this:
Like this:
Related
This entry was posted on January 5, 2018 at 8:49 am and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.