Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,698
39,604



Along with macOS High Sierra 10.13.3, Apple this morning released two new security updates that are designed to address the Meltdown and Spectre vulnerabilities on machines that continue to run macOS Sierra and OS X El Capitan.

As outlined in Apple's security support document, Security Update 2018-001 available for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 offers several mitigations for both Meltdown and Spectre, along with fixes for other security issues, and the updates should be installed immediately.

meltdownspectre-800x499.jpg

Apple addressed the Meltdown and Spectre vulnerabilities in macOS High Sierra with the release of macOS High Sierra 10.13.2, but older machines were left unprotected. Apple initially said a prior security update included fixes for the two older operating systems, but that information was later retracted.

Spectre and Meltdown are two hardware-based vulnerabilities that impact nearly all modern processors. Apple in early January confirmed that all of its Mac and iOS devices were impacted, but Meltdown mitigations were introduced ahead of when the vulnerabilities came to light in iOS 11.2 and macOS 10.13.2, and Spectre was addressed through Safari updates in iOS 11.2.2 and a macOS 10.13.2 Supplemental Update.

Spectre and Meltdown take advantage of the speculative execution mechanism of a CPU. As these use hardware-based flaws, operating system manufacturers are required to implement software workarounds. These software workarounds can impact processor performance, but according to Apple, the Meltdown fix has no measurable performance reduction across several benchmarks.

The Spectre Safari mitigations have "no measurable impact" on Speedometer and ARES-6 tests, and an impact of less than 2.5% on the JetStream benchmark.

Many PCs with Intel processors have been facing serious issues following the installation of patches with fixes for Meltdown and Spectre, but these problems do not appear to impact Apple's machines.

Article Link: Apple Addresses Meltdown and Spectre in macOS Sierra and OS X El Capitan With New Security Update
 
yay! :)
[doublepost=1516735640][/doublepost]
Do we know the % of Meltdown and Spectre bugs that are patched? Or is that impossible/difficult to determine?

The impression I get is that Meltdown is fully patched, but Spectre represents a new class of attacks where no one even really knows how many different kinds of attacks are possible. This patch addresses the current known ones.
 
i guess my ibook g4 will be left vulnerable...

Probably not. I'm not all that familiar with PPC, but I know that, for example, the ARM chips used by Raspberry Pi aren't vulnerable. The vulnerability comes from Speculative Execution, something that wastes a lot of power in the name of saving time. My understanding is Intel only started doing it in 2004, as they ran out of other ways to make the CPU run faster. I don't know that PPC started doing it earlier than Intel, but I would guess not.
 
Was it ever confirmed that PowerPC chips were at risk?

I'm pretty sure he was joking. You're aware how old that computer is, right?

Great but how do you check that macOS Sierra has been patched and received this update ?

The same way you check to see if you have received any other security updates? You're looking for "Security Update 2018-001".
 
Safari seems less snappy.

Okay not really. The estimated 2.5% hit to performance is significantly less than the early doomsday predictions we were hearing about a week ago, thankfully.
 
I thought we had the Meltdown fix for 11.6 and 12.6 on 6DEC2017?
[doublepost=1516736880][/doublepost]
Can we get the same for iOS 10?

It is called iOS 11. If you can't run it then you have an A6 or earlier which doesn't so much have an issue.
 
If wonder if it is necessary to patch every VM if the host OS that is supporting the VMs is patched?

For example, you may have a server in the data center running VMware running on top of Windows 2016 server. If you patch Windows 2016 server (from Microsoft's security updates), all the VMs under your VMWare platform if not patched will not be an issue.
 
I wonder how reliable Apple's patches are given that Linus Torvalds has condemned the patches submitted to the linux kernel by Intel:
the patches are COMPLETE AND UTTER GARBAGE.

And that's actually ignoring the much worse issue, namely that the whole hardware interface is literally mis-designed by morons.

Linus is never one to mince words...
 
I wonder how reliable Apple's patches are given that Linus Torvalds has condemned the patches submitted to the linux kernel by Intel:




Linus is never one to mince words...

That's one thing I love about him. He loves Linux and he wants to make it the best system it can be. He doesn't bother with political correctness or being nice. If someone writes bad code, he lets them know, harshly. Everyone who works with him knows not to take things personally.

We need more people like that in QC and management positions at companies like Apple. Steve Jobs was much the same way.
 
Was it ever confirmed that PowerPC chips were at risk?

Very early PowerPC CPUs might not be vulnerable, but starting with the PowerPC 604 (used in the Power Mac 7600) in 1996, that CPU family used out-of-order speculative execution and branch prediction, which are the main criteria for Spectre vulnerability: https://everymac.com/systems/apple/powermac/specs/powermac_7600_120.html

If so the PowerPC 970 used in the last PowerMac G5 would also be at risk from Spectre.

The similar "Power Architecture" IBM Power8 and Power9 CPUs, also the Z14 CPU used in IBM mainframes were all singled out by Red Hat as vulnerable.

Even older RISC workstations using the MIPS R10000 or DEC Alpha 21264 CPUs might be vulnerable since they all share the same characteristics.

On the Intel side, it would seem any Intel CPU since the Pentium Pro in 1995 would be vulnerable to Spectre. That is when Intel (and most of the other CPU manufacturers) started using out-of-order speculative execution and branch prediction.
 
I thought we had the Meltdown fix for 11.6 and 12.6 on 6DEC2017?

No, this is the patch actually seems to be Meltdown (people thought the earlier one might be, but it wasn't) ...

However the article is slightly misleading as Spectre was actually patched in for Sierra and El Cap in Safari updates Jan 8th (11.02). The new update doesn't address Spectre.

https://support.apple.com/en-us/HT208403
 
Last edited:
Safari seems less snappy.

:)

Okay not really. The estimated 2.5% hit to performance is significantly less than the early doomsday predictions we were hearing about a week ago, thankfully.

The doomsday performance predictions were for Meltdown (30% on certain workloads - important for HPC/database work). The above 2.5% performance penalty is for Spectre mitigations. Unfortunately for Spectre there *might* be many, many more attacks possible than the current ones known - that's its doomsday prediction.
 
My Early 2013 Macbook Pro is rebootiing every 3 minutes or so, even when sat doing nothing, since installing this Sierra update. DONT DO IT!!!!!!!!! Apple are fecking idiots.
[doublepost=1516738442][/doublepost]It's literally sat with no programs running at all, everything shut down but the OS and it is rebooting after about 2 minutes.
[doublepost=1516738557][/doublepost]It's even rebooting when I try to go to recovery mode or whatever its called, well done Apple I have a huge paperweight now.

Edit: I did get this sorted eventually, it was actually my Anti Virus software (ESET Cyber Security Pro) not liking the changes made to the OS to mitigate Meltdown and Specter. Keep reading my other posts for more info.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.