Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Yes, and for any other computer and smartphone manufacturer out there.

Yeah. Entire industry might be chilled. Though, some of these benchmark results are looking ok.

Does anyone know how often the benchmarks do system calls to the kernel? Seems like heavy IO related activities are affected most. I wonder how much something like FCP X is affected?
[doublepost=1515472154][/doublepost]

Oh my ... this just gets worse.
 
  • Like
Reactions: RandomDSdevel
Really hoping someone can guide on where to find these wallpapers on the macbooks on the story
 
And how do you known criminals failed to find the flaw on their own? Answer: you do not, which invalidates your whole argument.

Well, gee, I don't know for "sure" there isn't an Easter Bunny, a Santa Claus or a man that people think was God either, but the absolute lack of evidence of any known instance of malware taking advantage of them in the wild the past 40 fracking YEARS makes them all pretty damn unlikely. I'm sorry that's not "good enough evidence" for you, but then I don't give a crap if you believe it or not. You're invalidated. :rolleyes:

The fact remains that these so-called "research centers" actually make malware known to the entire world in detail so that any crooks that don't know about them, sure as hell do NOW! They CREATED this problem by announcing it and how it works to the world. I reiterate, they should be held LIABLE for the crime that ensues because of this. They SHOULD have kept it quiet and told Intel and others privately, not announcing it to the damn news channels! This problem is TOO BIG to just "fix" like other software issues. This means every single computer on the planet practically needs replaced with new hardware. Intel should have to do it for FREE.
 
  • Like
Reactions: RandomDSdevel
Well, gee, I don't know for "sure" there isn't an Easter Bunny, a Santa Claus or a man that people think was God either, but the absolute lack of evidence of any known instance of malware taking advantage of them in the wild the past 40 fracking YEARS makes them all pretty damn unlikely. I'm sorry that's not "good enough evidence" for you, but then I don't give a crap if you believe it or not. You're invalidated. :rolleyes:
Sorry to be rude, but your logic doesn't work. If someone is able to discover a security issue, it's proof that the issue can be found. Assuming nobody else in the world ever found it is simply foolish. What you can argue is that the information is not widespread, and on that I agree, but assuming it's simply not available on the wild is just foolish. There are ways to exploit it without leaving traces and those who likely discovered it to break into computer systems are also likely to do that in a way you cannot figure out.
The fact remains that these so-called "research centers" actually make malware known to the entire world in detail so that any crooks that don't know about them, sure as hell do NOW! They CREATED this problem by announcing it and how it works to the world. I reiterate, they should be held LIABLE for the crime that ensues because of this. They SHOULD have kept it quiet and told Intel and others privately, not announcing it to the damn news channels! This problem is TOO BIG to just "fix" like other software issues. This means every single computer on the planet practically needs replaced with new hardware. Intel should have to do it for FREE.
You are mistaken. The researchers did follow responsible disclosure:
After affected hardware and software vendors had been made aware of the issue on July 28, 2017, the two vulnerabilities were made public jointly, on January 3, 2018, several days ahead of the coordinated release date of January 9, 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list. As a result, patches were not available for some platforms, such as Ubuntu, when the vulnerabilities were disclosed.
 
  • Like
Reactions: RandomDSdevel
Well it's probably safest to hate everything. "This sucks, I'm going back to my Commodore 64!" There's no curmudgeon like an old school curmudgeon.

Ahem.

Here's the thing: I understand this is basically in concept at the time - someone told me that there's no existing exploit but a bad actor could use javascript to inject an exploit.

In practice, reading 32 gigs of some random persons system memory over a 5 megabit DSL line or 15 megabit cable line (about average for high speed internet locally) would be a really slow and ineffective way of hacking a system by reading the entire contents of memory.

Lets hope that this is more boogeyman than actual threat since someone would have to write an app to target specific locations of memory where "interesting" things hide.

This is what I was thinking. In addition, running an adblocker (like uBlock) and script blocker (like noScript) should provide some measure of defense, should it not? I've been using both as well as Ghostery for a while now.

The fact I've seen at least one person (not sure whether it was in this, or another thread) mention that it's bricked their iMac makes me hesitant to install the supplemental update on mine (27" Retina 5K - on 10.13.2)
 
Sorry to be rude, but your logic doesn't work.

Right. :rolleyes:

If someone is able to discover a security issue, it's proof that the issue can be found.

It took 30+ years to find this one. I'd call that pretty damn hard to find. Telling everyone where and how to find it makes it just a TINY BIT easier for criminals to find it world wide. What do you think every hacker on the planet that wants to create malware is doing right now as a direct result of them publishing their find publicly??? Even if one or two other people (NSA or some foreign counterpart) knew about it before this, NOW every two bit criminal from here to Hong Kong knows about it thanks to publishing it publicly!

Assuming nobody else in the world ever found it is simply foolish.

That's NOT what I'm saying at all. I'm saying don't tell everyone else about it too! Your so-called logic is ridiculous. I'm saying keep the damn find private until fixes are available. Don't hand the information to every hacker and criminal on the planet by PUBLISHING THE TECHNICAL DATA. Hand it over quietly and privately to Intel, Apple and Microsoft and a few others that are responsible for the fix. Don't announce the defect to the whole damn planet (by publishing it) so as to enable hackers to find something they might have never found on their own. You and others apparently think it's a great idea to have "Free Information" even if it means the end of civilization. Some things should not be public knowledge, at least not until fixes are freely available and a new chip is ready to replace truly important computers. Instead, it's now a race to the bottom! I'm saying THAT is utterly UTTERLY STUPID!

What you can argue is that the information is not widespread, and on that I agree, but assuming it's simply not available on the wild is just foolish.

Keep using the word foolish as if that makes the things you're saying sound any less stupid to me.

There are ways to exploit it without leaving traces and those who likely discovered it to break into computer systems are also likely to do that in a way you cannot figure out.

What does that have to do with these guys telling every single criminal on the planet about this flaw??? You think there 'might' be someone that already knows about the flaw and so it's OK to tell EVERYONE about the flaw so hackers everywhere can race to make a malware kit and ransack computers before fixes can be made and released (IF they can be made in Spectre's case)??? That is what you're telling me....

This idea that some how some way some way someone already knew about it, exploited it and is secretly holding every computer on the planet hostage is a load of horse crap! Even IF they were true, that doesn't mean we now want every two-bit hacker to create their own malware kits!

I still don't see fixes from Apple and others. Firefox is the only software I've seen include it so far (Chrome says they'll get to it towards the end of the month...maybe). Great! Good luck with that.

You are mistaken. The researchers did follow responsible disclosure:

Your idea of "responsible" disclosure leaves a lot to be desired. The thinking about most malware goes that if they tell everyone about it, people will be FORCED to do something about it plus some companies offer rewards for finding flaws. The problem here is that there's precious little to be done about Spectre and now it's a race to see if they even CAN do something about it short of replacing your entire computer and every device you own versus hackers by the hundreds or even thousands looking for a way, ANY way to exploit this to make MONEY from your misery!

But that's responsible to publicly publish the technical details so they can get started on those hacks immediately...right. :rolleyes:
 
  • Like
Reactions: RandomDSdevel
High Sierra already performs like crud. Any more of a performance hit for my 4 year old Mac will definitely keep me from upgrading more than I was already convinced.
I just updated High Sierra with today’s patch and file transfer between external drives on my iMac is a lot faster
 
Spoke today to AppleCare on another matter and asked about plans to patch Sierra, whether any patches were in beta. I Referenced that patch in Dec which for a brief moment folks here seemed to say that Sierra was included for Meltdown etc but then Apple removed the reference in notes to Sierra El Capitan on the patch. Advisor said only latest OS is worked on by Apple, didn’t seem to understand concept of security patches for earlier versions. Senior advisor had nothing to add although did say tech support is out of the loop. I miss olden days when company would understand that it’s not so simple to change OS versions every year for work purposes like it is on iOS devices.

I’m still clinging to hope as I think Intel is still trying to figure out how to patch so Apple may be waiting. If anyone has insight, would love to hear.
 
  • Like
Reactions: RandomDSdevel
It seems that Microsoft is being more open about this issue than Apple. I'd really like to know if what you were told is indeed the official Apple position, that only the latest OS will be patched. It could be true due to (1) enough kernel differences between Sierra and High Sierra due to APFS such that the same patches won't work on both kernels, and (2) lack of 'bodies' in Apple's macOS dept. to modify two kernels. This might be what forces me back to the Windows+Linux world. At least then I won't care what Apple's position on headless desktop systems is.
 
  • Like
Reactions: RandomDSdevel
InSpectre tool reports my Mac Pro is affected with Spectre when running under Windows 7, so Apple needs to release new firmware (EFI) again to make sure it's fully mitigated.

In terms of Meltdown fix - Windows 7 patches slowed down my processors up to 15% which is huge! You can clearly see this when running CPU-Z builtin benchmarks.
 
  • Like
Reactions: RandomDSdevel
The only thing I've seen from Apple (running El Capitan here) is an update to Safari. I've seen nothing in the way of a system wide security patch since the threat was announced. Whether they did anything before that point is unknown.
 
  • Like
Reactions: RandomDSdevel
I just used Apple's product feedback form to submit an inquiry regarding the status on the remaining Meltdown and Spectre patches for those of us not running High Sierra. I should probably hit the developer Bug Report page, too, but that thing is…antiquated-feeling enough that it's a bit of a slog to use, y'know?
 
Your idea of "responsible" disclosure leaves a lot to be desired. The thinking about most malware goes that if they tell everyone about it, people will be FORCED to do something about it plus some companies offer rewards for finding flaws. The problem here is that there's precious little to be done about Spectre and now it's a race to see if they even CAN do something about it short of replacing your entire computer and every device you own versus hackers by the hundreds or even thousands looking for a way, ANY way to exploit this to make MONEY from your misery!
You don't even know what you are talking about: responsible disclosure is not "my idea", there are actually guidelines and policies, like this one:

Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure.

If you wonder why they do that, read the document.

Furthermore, this case was handled much more carefully: it was not my idea to release the information at the given date, nor the researchers' idea, it was Intel's idea, together with the other vendors involved. They received the information confidentially in July 2017 and planned the announcement, so I don't see how the researches can be hold responsible of anything at all. The vendors had 6 months to prepare for the disclosure and they decided this timeframe themselves. If you expected them to wait until all affected devices are not in use anymore you are completely delusional.

You know nothing about security and your misguided ideas about disclosure are naive at best, dangerous at worst.
 
Last edited:
Security Update 2018-001 for OS X 10.11.6 'El Capitan'/Security Update 2018-001 for macOS Sierra patches at least Meltdown (CVE-2017-5754 is mentioned explicitly,) but there isn't any mention of Spectre (or either of its CVE-IDs,) hopefullyI know the Safari patch from 11.0.2 took care of one of the latter, but maybe 11.0.3 (or this Security Update, which is more likely, I think, since only one of Spectre's sub-CVE-IDs was exploitable in-browser, AFAICR) deals with the other one…? IDK…
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.