Apple confirms iPhone, Mac affected by Meltdown, Spectre flaws, but Apple Watch unaffected

Apple says all Mac systems and devices running iOS are affected by the vulnerabilities, but Apple Watch is unaffected.

apple.jpg

(Image: file photo)

Apple has issued a statement regarding the Meltdown and Spectre vulnerabilities, confirming all Mac systems and iOS devices are affected, but saying there are no known exploits impacting customers at this time.

Apple, like Microsoft, has urged users to download software only from trusted sources, such as the App Store.

The iPhone maker has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. A spokesperson confirmed Friday that Apple Watch is not affected by either Meltdown or Spectre, despite its own initial report Thursday.

"In the coming days we plan to release mitigations in Safari to help defend against Spectre," the company said in a statement. "We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, and tvOS."

The researchers who discovered the vulnerabilities said that "almost every system," since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.

"An attacker might be able to steal any data on the system," said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet.

"Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine," according to the paper accompanying the research.

The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems.

The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution, which improves speed by operating on instructions may be used in future.

To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.

According to Apple, the Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory -- including that of the kernel -- from a less-privileged user process such as a malicious app running on a device.

While Linux can deal with the fundamental issue with Meltdown, Linux creator Linus Torvalds shared his displeasure on the situation to the Linux Kernel Mailing List.

"I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed," he wrote.

"... and that really means that all these mitigation patches should be written with 'not all CPU's are crap' in mind.

"Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything?' Because if that's the case, maybe we should start looking towards the ARM64 people more."

A Linux security expert told ZDNet that Google Project Zero informed Intel about the security problems in April, but neither Google nor Intel bothered to tell the operating system vendors until months later.

This resulted in Apple, Linux developers, and Microsoft to scramble to deliver patches to fundamental CPU security problems.

Updated on January 5 at 2:40pm ET: with additional note from Apple spokesperson regarding Apple watch.

Read more: How Linux is dealing with Meltdown and Spectre

Microsoft has also warned users that its patches for Meltdown won't reach them if their third-party antivirus hasn't been updated to support this week's Windows security update.

Previous and related coverage

Critical flaws revealed to affect most Intel chips since 1995

Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."

Google reveals trio of speculative execution flaws, says AMD affected

CPUs can leak data when unwinding unused speculative execution paths.

Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus

Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows.

Intel starts issuing patches for Meltdown, Spectre vulnerabilities

Intel says it has already issued updates for the majority of its processor products released in the last five years.

Major Linux redesign in the works to deal with Intel security flaw

A serious security memory problem in all Intel chips has led to Linux's developers resetting how to deal with memory. The result will be a more secure, but -- as Linux creator Linus Torvalds says -- slower operating system.

Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems (TechRepublic)

The faulty design has been present in chips for years and it will force a redesign of the Linux and Windows kernels.