Apple Addresses Meltdown and Spectre in macOS Sierra and OS X El Capitan With New Security Update

[MacRumors]

Along with macOS High Sierra 10.13.3, Apple this morning released two new security updates that are designed to address the Meltdown and Spectre vulnerabilities on machines that continue to run macOS Sierra and OS X El Capitan.

As outlined in Apple's security support document, Security Update 2018-001 available for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 offers several mitigations for both Meltdown and Spectre, along with fixes for other security issues, and the updates should be installed immediately.

Apple addressed the Meltdown and Spectre vulnerabilities in macOS High Sierra with the release of macOS High Sierra 10.13.2, but older machines were left unprotected. Apple initially said a prior security update included fixes for the two older operating systems, but that information was later retracted.

Spectre and Meltdown are two hardware-based vulnerabilities that impact nearly all modern processors. Apple in early January confirmed that all of its Mac and iOS devices were impacted, but Meltdown mitigations were introduced ahead of when the vulnerabilities came to light in iOS 11.2 and macOS 10.13.2, and Spectre was addressed through Safari updates in iOS 11.2.2 and a macOS 10.13.2 Supplemental Update.

Spectre and Meltdown take advantage of the speculative execution mechanism of a CPU. As these use hardware-based flaws, operating system manufacturers are required to implement software workarounds. These software workarounds can impact processor performance, but according to Apple, the Meltdown fix has no measurable performance reduction across several benchmarks.

The Spectre Safari mitigations have "no measurable impact" on Speedometer and ARES-6 tests, and an impact of less than 2.5% on the JetStream benchmark.

Many PCs with Intel processors have been facing serious issues following the installation of patches with fixes for Meltdown and Spectre, but these problems do not appear to impact Apple's machines.

Article Link: Apple Addresses Meltdown and Spectre in macOS Sierra and OS X El Capitan With New Security Update

 

[vicviper789]

i guess my ibook g4 will be left vulnerable...

 

[nexu]

Can we get the same for iOS 10?

 

[Sasparilla]

Nice to see these out.

 

[nutmac]

Do we know the % of Meltdown and Spectre bugs that are patched? Or is that impossible/difficult to determine?

 

[crazy dave]

yay!
[doublepost=1516735640][/doublepost]

Do we know the % of Meltdown and Spectre bugs that are patched? Or is that impossible/difficult to determine?

The impression I get is that Meltdown is fully patched, but Spectre represents a new class of attacks where no one even really knows how many different kinds of attacks are possible. This patch addresses the current known ones.

 

[brendu]

i guess my ibook g4 will be left vulnerable...

Was it ever confirmed that PowerPC chips were at risk?

 

[Paddle1]

How about iOS 9 or iOS 10? Lots of devices stuck there.

 

[cb3]

Apple:
Please patch older Mac OS's as well. Thank you.

 

[ArtOfWarfare]

i guess my ibook g4 will be left vulnerable...

Probably not. I'm not all that familiar with PPC, but I know that, for example, the ARM chips used by Raspberry Pi aren't vulnerable. The vulnerability comes from Speculative Execution, something that wastes a lot of power in the name of saving time. My understanding is Intel only started doing it in 2004, as they ran out of other ways to make the CPU run faster. I don't know that PPC started doing it earlier than Intel, but I would guess not.

 

[bobbie424242]

Great but how do you check that macOS Sierra has been patched and received this update ?

 

[SeaFox]

Was it ever confirmed that PowerPC chips were at risk?

I'm pretty sure he was joking. You're aware how old that computer is, right?

Great but how do you check that macOS Sierra has been patched and received this update ?

The same way you check to see if you have received any other security updates? You're looking for "Security Update 2018-001".

 

[Deacon-Blues]

Safari seems less snappy.

Okay not really. The estimated 2.5% hit to performance is significantly less than the early doomsday predictions we were hearing about a week ago, thankfully.

 

[bobbie424242]

The same way you check to see if you have received any other security updates? You're looking for "Security Update 2018-001".

Yup , should have gone to the App Store updates page before asking.

 

[FilipeTeixeira]

Many PCs with Intel processors have been facing serious issues following the installation of patches with fixes for Meltdown and Spectre, but these problems do not appear to impact Apple's machines.

Yet. I would wait a tiny bit longer.

 

[kemal]

I thought we had the Meltdown fix for 11.6 and 12.6 on 6DEC2017?
[doublepost=1516736880][/doublepost]

Can we get the same for iOS 10?

It is called iOS 11. If you can't run it then you have an A6 or earlier which doesn't so much have an issue.

 

[BornAgainMac]

If wonder if it is necessary to patch every VM if the host OS that is supporting the VMs is patched?

For example, you may have a server in the data center running VMware running on top of Windows 2016 server. If you patch Windows 2016 server (from Microsoft's security updates), all the VMs under your VMWare platform if not patched will not be an issue.

 

[Iphtashu Fitz]

I wonder how reliable Apple's patches are given that Linus Torvalds has condemned the patches submitted to the linux kernel by Intel:

the patches are COMPLETE AND UTTER GARBAGE.

And that's actually ignoring the much worse issue, namely that the whole hardware interface is literally mis-designed by morons.

Linus is never one to mince words...

 

[zorinlynx]

I wonder how reliable Apple's patches are given that Linus Torvalds has condemned the patches submitted to the linux kernel by Intel:




Linus is never one to mince words...

That's one thing I love about him. He loves Linux and he wants to make it the best system it can be. He doesn't bother with political correctness or being nice. If someone writes bad code, he lets them know, harshly. Everyone who works with him knows not to take things personally.

We need more people like that in QC and management positions at companies like Apple. Steve Jobs was much the same way.

 

[joema2]

Was it ever confirmed that PowerPC chips were at risk?

Very early PowerPC CPUs might not be vulnerable, but starting with the PowerPC 604 (used in the Power Mac 7600) in 1996, that CPU family used out-of-order speculative execution and branch prediction, which are the main criteria for Spectre vulnerability: https://everymac.com/systems/apple/powermac/specs/powermac_7600_120.html

If so the PowerPC 970 used in the last PowerMac G5 would also be at risk from Spectre.

The similar "Power Architecture" IBM Power8 and Power9 CPUs, also the Z14 CPU used in IBM mainframes were all singled out by Red Hat as vulnerable.

Even older RISC workstations using the MIPS R10000 or DEC Alpha 21264 CPUs might be vulnerable since they all share the same characteristics.

On the Intel side, it would seem any Intel CPU since the Pentium Pro in 1995 would be vulnerable to Spectre. That is when Intel (and most of the other CPU manufacturers) started using out-of-order speculative execution and branch prediction.

 

[crazy dave]

I thought we had the Meltdown fix for 11.6 and 12.6 on 6DEC2017?

No, this is the patch actually seems to be Meltdown (people thought the earlier one might be, but it wasn't) ...

However the article is slightly misleading as Spectre was actually patched in for Sierra and El Cap in Safari updates Jan 8th (11.02). The new update doesn't address Spectre.

https://support.apple.com/en-us/HT208403

 

[reggierob2]

i guess my ibook g4 will be left vulnerable...

Did the G4 even have branch prediction? (Is it even susceptible to Spectre/Meltdown?) (Actually, branch prediction was not anew thing by the time the G4 came around.)

 

[crazy dave]

Safari seems less snappy.

Okay not really. The estimated 2.5% hit to performance is significantly less than the early doomsday predictions we were hearing about a week ago, thankfully.

The doomsday performance predictions were for Meltdown (30% on certain workloads - important for HPC/database work). The above 2.5% performance penalty is for Spectre mitigations. Unfortunately for Spectre there *might* be many, many more attacks possible than the current ones known - that's its doomsday prediction.

 

[Andydigital]

My Early 2013 Macbook Pro is rebootiing every 3 minutes or so, even when sat doing nothing, since installing this Sierra update. DONT DO IT!!!!!!!!! Apple are fecking idiots.
[doublepost=1516738442][/doublepost]It's literally sat with no programs running at all, everything shut down but the OS and it is rebooting after about 2 minutes.
[doublepost=1516738557][/doublepost]It's even rebooting when I try to go to recovery mode or whatever its called, well done Apple I have a huge paperweight now.

Edit: I did get this sorted eventually, it was actually my Anti Virus software (ESET Cyber Security Pro) not liking the changes made to the OS to mitigate Meltdown and Specter. Keep reading my other posts for more info.

 

[bsolar]

Was it ever confirmed that PowerPC chips were at risk?

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Firmware patches for POWER7+, POWER8, and POWER9 platforms are now available via FixCentral. POWER7 patches will be available beginning February 7.