Meltdown-Spectre: A reminder to the IT industry that security is a mirage
Apple has rolled out a security fix to older Macs in an effort to mitigate the risk from a vulnerability in modern chips.
The technology giant on Tuesday released a fix for Meltdown, a flaw that can allow an attacker to read protected kernel memory, for the latest versions of macOS Sierra (10.12.6), and OS X El Capitan (10.11.6).
macOS Sierra and its predecessor OS X El Capitan were not initially patched, with Apple opting to release a supplemental security update only for macOS 10.13.2 on January 8.
Some criticized the company for effectively forcing customers to update their entire operating system in order to receive patches. Although updating systems is one of the most important ways to protect against security vulnerabilities, many do not update their systems for fear of breaking legacy software.
Meltdown and Spectre, another chip vulnerability revealed at the same time, take advantage of a modern processor performance feature called speculative execution, which improves speed by operating on instructions which may be used in future.
As we previously reported, a vulnerable processor predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
Daniel Gruss, a security researcher who discovered the Meltdown bug, told ZDNet when the bug was first revealed that an attacker "might be able to steal any data on the system," including sensitive data, such as passwords.
In the company's latest supplemental security update, Apple fixed 17 vulnerabilities in 15 separate bulletins.