Story image

Apple confirms that macOS and iOS are vulnerable to Meltdown bugs

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. 

These issues apply to all modern processors and affect nearly all computing devices and operating systems. 

All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. 

Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, they recommend downloading software only from trusted sources such as the App Store. 

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. 

Apple Watch is not affected by either Meltdown or Spectre. 

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or rogue data cache load.

The Meltdown technique can enable a user process to read kernel memory. 

Apple analysis suggests that it has the most potential to be exploited. 

Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. 

Their testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer.

Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or bounds check bypass, and CVE-2017-5715 or branch target injection.

These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.

Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. 

Apple has promised to release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. 

Their current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. 

They say they will continue to develop and test further mitigations within the operating system for the Spectre techniques and will release them in upcoming updates of iOS, macOS, and tvOS.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.