Those are pretty aggressive vulnerabilities! Glad they got patched, I'll have to check the old family computer to get the patch. She's a 2010 iMac so I don't have high Sierra because I'm concerned it will cripple it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Confirms 'Meltdown' and 'Spectre' Vulnerabilities Impact All Macs and iOS Devices, Some Fixes Already Released [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
As far as I understand it, Spectre (and possibly meltdown as well) depends on accurate timing information, so they have reduced the precision of the Javscript time call. Maybe Apple have done the same with Safari? That would at least stop a Javascript attack.
In 2018, it’s pretty clear we require internet enabled computer technology to survive (or at least to have a chance to thrive). When will consumers have the guts to elect government officials who will regulate the industry accordingly?
There is no question the astronomical profits generated by internet related tech over the last 25 years have caused many to look the other way on vulnerabilities in an effort to get products to market. Pardon my cynicism, but it’s hard not to think of this as a possibility right now given the market dominance of Intel.
Apple’s guilty too. In addition to their own apparent design blunders and security lapses recently, they still won’t allow updates via wifi, which leaves us vulnerable or forces us to pay an ISP even though our mobile connections often achieve double base broadband speeds.
Equifax negligence, Amazon hegemony, Comcast anti-neutrality... We’re losing our money, freedom and our very identities to further enrich the already filthy rich - and we have no choice but to pay.
The consumer Internet hasn’t been a luxury or a toy for at least 15 years now. It’s necessary for survival. It’s time we stood up against tech providers that are doing nothing more than extorting their vast riches from an increasingly desperate population, and hold them accountable - if not for prices, at least for security.
There is no question the astronomical profits generated by internet related tech over the last 25 years have caused many to look the other way on vulnerabilities in an effort to get products to market. Pardon my cynicism, but it’s hard not to think of this as a possibility right now given the market dominance of Intel.
Apple’s guilty too. In addition to their own apparent design blunders and security lapses recently, they still won’t allow updates via wifi, which leaves us vulnerable or forces us to pay an ISP even though our mobile connections often achieve double base broadband speeds.
Equifax negligence, Amazon hegemony, Comcast anti-neutrality... We’re losing our money, freedom and our very identities to further enrich the already filthy rich - and we have no choice but to pay.
The consumer Internet hasn’t been a luxury or a toy for at least 15 years now. It’s necessary for survival. It’s time we stood up against tech providers that are doing nothing more than extorting their vast riches from an increasingly desperate population, and hold them accountable - if not for prices, at least for security.
Those patches in High Sierra are what pushed me to finally do the upgrade from Sierra.
I heard that IBM processors aren't affected but I could be wrong.
Yeah I've downgraded both my laptop and desktop to Sierra and have no plans to upgrade either beyond that. Processor bug or not. I'd rather live with it than the crappy performance of High Sierra.
I am still running 10.9 and iOS 10 and I can not currently upgrade for many different reasons... not to mention 10.12 on my newer macbook pro. I really feel they should release a secuirty patch for this. It will cost them nothing and saves everyone unable to upgrade big time...
Can someone tell me how worried should I be?
Can someone tell me how worried should I be?
Everyone is like "Apple should switch to AMD." Ryzen builds that I have diagnosed because of issues are horrible. Apple should stick to Intel and thats it until AMD fixes the issues with their processors. AMD processors are just as affected as Intel with the Spectre flaw.
These flaws are the primary reason why my some of my Computer Science professors hate Intel, AMD, and ARM CPU designs.
These flaws are the primary reason why my some of my Computer Science professors hate Intel, AMD, and ARM CPU designs.
This is not to be inflammatory but “small” is a relative term.
For those people who use their Mac computers very little or those who use their Mac computers for task that do not use IO much then yes it may be “small”.
However if you are one that uses your Mac for video editing/encoding, photo editing, 3D, etc or task that accesses storage much such as DB or if you are using virtual machines then the “fix” could be a significant hit to your productivity and livelihood.
30% does not seem “small” to me. Imagine if your business had 10 Macs used for video production work. With the “fix” that 30% penalty would be multiplied by 10.
What if this issue dealt with a pair of sunglasses. Company advertises glasses that block 100% UVA / UVB. You drop $300 for a pair. Six months later you find out they leak both UVA / UVB. Company say we can “fix” the problem by applying a coating to the surface of the lenses. The coating however will reduce your vision by 30%. I forgot to mention that the company knew 6 months before you bought the glasses that the glasses leaked UVA/UVB.
Not a “fix” that I find very acceptable.
Will Apple or other computer manufacturers offer a 30% refund? Will they offer to buy back your purchase and refund your money?
What ever happened to Volkswagen when they were caught in their emissions debacle?
When did Intel know? When did Apple know?
It's interesting to see how the Linux/Windows manufacturers are putting out patches that degrade performance in hopes you'll buy a new machine.
Apple chooses to do little, because they don't have anything new to sell.
Thanks Timmy "Gil Amelio" Cook!
Keep those bonuses coming!
Apple chooses to do little, because they don't have anything new to sell.
Thanks Timmy "Gil Amelio" Cook!
Keep those bonuses coming!
Worry is a waste of time and energy. Use that energy to rally the troops to initiate a recall or a refund.
This is a real problem that extends beyond this particular security threat.
When did Apple know? Did Apple keep selling systems long after they knew without implementing the “fix” knowing there would be performance hits?
Could this be another Volkswagen emissions debacle?
Well it's probably safest to hate everything. "This sucks, I'm going back to my Commodore 64!" There's no curmudgeon like an old school curmudgeon.
Ahem.
Here's the thing: I understand this is basically in concept at the time - someone told me that there's no existing exploit but a bad actor could use javascript to inject an exploit.
In practice, reading 32 gigs of some random persons system memory over a 5 megabit DSL line or 15 megabit cable line (about average for high speed internet locally) would be a really slow and ineffective way of hacking a system by reading the entire contents of memory.
Lets hope that this is more boogeyman than actual threat since someone would have to write an app to target specific locations of memory where "interesting" things hide.
Last edited:
They’re parading around in the living rooms carrying signs Apple already fixed it.
Yet not asking themselves how did Apple fix something in previous os versions if it was just publicized a couple days ago.
Then there’s the other question of how effective is the patch.
Every day more details are coming to light that this is a serious industry wide issue.
They patched Sierra, too. Go look at the retroactively updated security notes for the last release.
Anyone know where to find those wallpapers?
Apple today confirmed that it has addressed the recent "Meltdown" vulnerability in previously released iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates, with additional fixes coming to Safari in the near future to defend against the "Spectre" vulnerability.
Apple has also confirmed that the two vulnerabilities affect all Mac and iOS devices. The company's full statement, available through a new support document covering Meltdown and Spectre, is below:Apple's statement does not make it clear if these vulnerabilities have been addressed in older versions of iOS and Mac, but for Macs, there were security updates for older versions of macOS released alongside macOS 10.13.2, so it's possible fixes are already available for Sierra and El Capitan.
News of the Spectre and Meltdown vulnerabilities first came to light this week, but Intel and major operating system vendors like Apple, Linux, and Microsoft have known about the issue for several months and worked to prepare a fix before the security flaws were publicly shared.
Spectre and Meltdown are serious vulnerabilities that take advantage of the speculative execution mechanism of a CPU. As these use hardware-based flaws, operating system manufacturers are required to implement software workarounds. These software workarounds can impact processor performance, but Intel has insisted every day users will not see serious slowdowns. Apple also says that no measurable impact has been detected in macOS and iOS.The Meltdown vulnerability allows a malicious program to read kernel memory, accessing data like passwords, emails, documents, photos, and more. Meltdown can be exploited to read the entire physical memory of a target machine. The vulnerability is particularly problematic for cloud-based services.
Spectre, which covers two exploitation techniques, breaks the isolation between different applications. Apple says that while the Spectre vulnerability is difficult to exploit, it can be done using JavaScript in a web browser. Apple plans to release Safari updates for macOS and iOS to prevent Spectre-based exploits.
As with the Meltdown vulnerability, Apple says the upcoming Safari mitigations will have "no measurable impact" on Speedometer and ARES-6 tests, and an impat of less than 2.5% on the JetStream benchmark.
Apple says it will continue to test further mitigations for Spectre and will release them in future versions of iOS, macOS, tvOS, and watchOS.
Article Link: Apple Confirms 'Meltdown' and 'Spectre' Vulnerabilities Impact All Macs and iOS Devices, Some Fixes Already Released
OS X 10.9 Mavericks is now outside of the support windows as it appears OS X 10.10 Yosemite is as well. One of my Macs is a 24" Early 2008 iMac and although supported by Apple at the moment as it runs OS X 10.11 El Capitan it cannot officially run any release beyond that therefore once El Capitan reaches end of life it will be left wide open to such vulnerabilities at which time it may be worth me considering creating a Linux partition for carrying out sensitive work such as online banking.
This could be a weird question but how does this effect router security. No one seems to be talking about that as far as I can tell. Doesn't the Airport Extreme and a few others use ARM chips? Since you cant install Custom software I'm guessing its a moot point for most Routers.
Technically "Apple CPUs" are not made by Apple. They are ARM chips designed by TSMC and Samsung and are affected by both Meltdown and Spectre.