Apple Releases macOS High Sierra 10.13.2 Supplemental Update With Spectre Fix

[diegov12]

Strange that Apple would release a Meltdown security update for Sierra and El Cap, but not release one for Spectre on those systems. That's going to leave a lot of people more vulnerable who aren't able or want to upgrade to High Sierra. Hopefully updates for those 10.11 and 10.12 are coming.

Safari on those versions has been updated…

 

[nt5672]

. . . .

Since this update was just to Safari / WebKit, you would think that the kernel wouldn't need an update, which makes me wonder what else they snuck in.

We are all too stupid to have access to that information. After all any computer you buy is still Apple's and they will do as they damn please.

 

[SecuritySteve]

The only reference to 10.11 and 10.12 in this article are in reference to the separate Safari update, not a system-level update to patch the kernel. Also, I have an El Cap system right here and there's no security update, nor is one listed on Apple's support site.

Then you simply misunderstand the standard operating procedure for Apple in security patches. The current lead OS receives all updates for stock apps as this type of OS level security updates. All previous OS get back ported security fixes to individual applications. These issues are exactly the same, just one is on the lead OS and the other is for the previous. As mentioned in one of my previous comments, what is surprising is that the actual kernel was rebuilt for this - which indicates that there are more 'changes' (note that I did not use the word fix) than just incrementing Safari to version 11.0.2 to fix or mitigate the "Spectre" vulnerability.

 

[nt5672]

Can you provide a specific list of these bugs and performance issues.

Yep, but you have to something other than tweet to find them.

 

[diegov12]

Uh

Good news that Apple have released Safari fixes. I run OS X 10.11.6 El Capitan on a Early 2008 iMac and macOS 10.12.6 Sierra on a Late 2009 iMac.

What does stand out a mile though no fix has been released for those running OS X 10.10.5 Yosemite.

Once again Apple have abandoned a percentage of Mac users.

, there's a safari update…

 

[ziggy29]

This High Sierra update patches the kernel.

I guess that explains why a patch that is only 143 MB download is taking as long as a full OS upgrade to apply. I have a quad i7 Mini (late 2012) with an SSD and it's been updating for 15 minutes. Clearly it's doing more than writing a few hundred megabytes of files.

 

[petsounds]

Spectre isn't something patched at the kernel level. It's being done through the browser. Meltdown is a completely different deal which has already been but isn't the topic of discussion here.

SecuritySteve said on the first page that the kernel has been modified in this High Sierra update.

On High Sierra this is being delivered as a security update. On El Cap and Sierra there is simply an update to Safari, which I'm assuming did not patch the kernel.

 

[Sheza]

FWIW, it's a hardware issue with Intel, not Apple. Windows & Linux are just as affected by this as Apple.

macOS High Sierra is not a hardware issue and is not on Windows & Linux.

Spectre and Meltdown are.

I'm referencing macOS High Sierra issues. I'm staying on Sierra.
[doublepost=1515438342][/doublepost]

Can you provide a specific list of these bugs and performance issues.

There are many videos on YouTube showing the issues. Final Cut Pro crashes, for example. UI glitches with Finder and more.

 

[ferretex]

So the kernel in macOS 10.11.6 and 10.12.6 was not patched right? Only Safari brought patches for Spectre on those OS...No Meltdown patch

 

[Guy Clark]

How dare they abandon people with machines more then 8 years old.

Indeed. How dare they.

The newest Mac I have is from 2009 .

They don't make Macs like they used to which is yet more testament to the through away society in which we live.

 

[zepfhyr]

There's an update for Safari to mitigate Spectre but still no Meltdown update.

The Meltdown fix was actually released back in early December for El Cap, Sierra, and High Sierra. Apple just didn't disclose it was fixed until after the threat was made public.

https://support.apple.com/en-us/HT208331

Search for Meltdown, and you'll find the details there.

 

[MacGekko]

macOS High Sierra is not a hardware issue and is not on Windows & Linux.

Spectre and Meltdown are.

I'm referencing macOS High Sierra issues. I'm staying on Sierra.
[doublepost=1515438342][/doublepost]
There are many videos on YouTube showing the issues. Final Cut Pro crashes, for example. UI glitches with Finder and more.

Fair enough, I shall search, if there is a comprehensive Youtube video please post a link.

 

[timborama]

Good news that Apple have released Safari fixes. I run OS X 10.11.6 El Capitan on a Early 2008 iMac and macOS 10.12.6 Sierra on a Late 2009 iMac.

What does stand out a mile though no fix has been released for those running OS X 10.10.5 Yosemite.

Once again Apple have abandoned a percentage of Mac users.

Agreed. Since Apple can't throttle via battery on desktops, this is their way of getting you to buy new hardware.

 

[chrfr]

The Meltdown fix was actually released back in early December for El Cap, Sierra, and High Sierra. Apple just didn't disclose it was fixed until after the threat was made public.

https://support.apple.com/en-us/HT208331

Search for Meltdown, and you'll find the details there.

No, Apple revised the document. The Meltdown patch only applies to 10.13.2.

Kernel

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to read kernel memory (Meltdown)

Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

CVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)

Entry updated January 5, 2018

[doublepost=1515439066][/doublepost]

Also, a Meltdown update was released in December for El Cap, Sierra, and High Sierra prior to the public announcement about the exploit.

See my reply to the other response: Apple revised their document and only 10.13.2 is fixed against Meltdown at this time.

 

[guzhogi]

macOS High Sierra is not a hardware issue and is not on Windows & Linux.

Spectre and Meltdown are.

I'm referencing macOS High Sierra issues. I'm staying on Sierra.

Pardon my confusion; your post just made it sound like you thought that Spectre & Meltdown were another High Sierra bug. My mistake.

 

[elv]

What about Safari Technology Preview, does it need to be updated separately?

 

[AxiomaticRubric]

A safari-based workaround? Please...

In other words.... a hack.

 

[diegov12]

Agreed. Since Apple can't throttle via battery on desktops, this is their way of getting you to buy new hardware.

lmao, you can't be serious.

 

[Sheza]

Fair enough, I shall search, if there is a comprehensive Youtube video please post a link.

This video about 3:30 onwards has some good stuff (the stuff prior to 3:30 is about the root bug)

Another example of a graphic glitch:

 

[weup togo]

A safari-based workaround? Please...

Seriously, we need an email campaign to Tim demanding to know where support for 10.11 and 10.12 went. Ever since the current piece of trash shipped, most security vulnerabilities remain unpatched. This is a radical reversal from Apple's long-standing policies, and the worst sign yet of Mac abandonment.

 

[nutmac]

Interestingly ... this update appears to have updated the OS X kernel itself. Note the output of SW_VERS on the command line pre and post update:

Pre:
ProductName: Mac OS X
ProductVersion: 10.13.2
BuildVersion: 17C88
Post:
ProductName: Mac OS X
ProductVersion: 10.13.2
BuildVersion: 17C205

Since this update was just to Safari / WebKit, you would think that the kernel wouldn't need an update, which makes me wonder what else they snuck in.

Exactly.

Is earlier macOS secure with Safari update alone? If so, I am guessing macOS High Sierra has more system level integration with WebKit.

 

[timborama]

lmao, you can't be serious.

Not at all. Fixes should be made to support EVERY machine Apple sold that has the exploit. Otherwise, let the lawsuits begin (again).

 

[OldSchoolMacGuy]

Agreed. Since Apple can't throttle via battery on desktops, this is their way of getting you to buy new hardware.

That's such stupid thinking. Are 7+ year old PCs running Windows performing far better?

Any machine, from any manufacturer, is going to be well overdue for replacement after 7+ years.

 

[jonblatho]

In other words.... a hack.

Well, yeah. It’s a hardware issue that can be exploited through vulnerabilities exposed in web browsers (unsurprisingly, JavaScript), so they’re mitigating it on the browser end.

“You can’t run around and add a button to these things. They’re already shipped.”

 

[chrfr]

Not at all. Fixes should be made to support EVERY machine Apple sold that has the exploit. Otherwise, let the lawsuits begin (again).

This would potentially go all the way back to the Power Mac x500 computers from 1995.