Intel Memory Access Design Flaw Already Addressed by Apple in macOS 10.13.2

[aliensporebomb]

Makes one long for the PowerMac days eh?

 

[djlythium]

Essentially, the vulnerability resides in Intel Processors ability to 'speculate' as to what code needs to be executed next, and execute it in advance so that it is cached and ready for the real execution. The vulnerability allows for the security context of that code execution to escalate from user land (referred to as ring 3) to kernel land (referred to as ring 0). The significance is that the Kernel memory houses sensitive information on the system that, once read, can be leveraged to escalate privileges. Double mapping adds an additional buffer between the kernel and user, which mitigates but doesn't completely solve the vulnerability. That is why additional 'tweaks' are necessary in 10.13.3.

Thanks!

 

[B4U]

I am still on Yosemite...
Is the issue gonna hit me too?

 

[Seret6]

Please anyone tell me how can I get the wallpapers shown on the iDevices in the story?

 

[cmaier]

I am still on Yosemite...
Is the issue gonna hit me too?

You will be vulnerable to the bug.

 

[Macbookprodude]

Maybe this explains why I am able to put 16GB PC3-8500 in my 2010 17 inch core i5.

 

[Seret6]

How can we download the wallpapers shown on the devices above?

 

[oldguy]

My plan is a bit different than most of you. I'll get a new battery in November 2018 for my iPhone 7, upgrade to a new iPhone for myself and give the old iPhone 7 (with the new battery) to somebody worthy. Easy decision.

 

[Westside guy]

But wtf, no update for Sierra & El Cap at least?

I'm certain they did patch this in both other OSes, just like they always have with every other security patch (e.g. the recent KRACK patches). But generally they don't spend much time talking about the older OSes - you only find out by reading the security release notes.

 

[pika2000]

In my opinion Apple is having some issue with transparency. Why not addressing fixes like this or actions like the battery management more openly? Many things might be good decisions or actions from a content perspective, but not well explained in the first place.

Blame Intel. Apple was probably under NDA, but they decided to release the patch as soon as they can.

 

[JosephAW]

What about my iMac running Snow Leopard and my G5 running Leopard?

 

[Spectrum]

Am I correct in reading that the flaw was patched in these security updates (for El Cap, Sierra and HSierra)?:
https://support.apple.com/en-gb/HT208331

Or were these other, unrelated, patches?

---

Quoted from that page:

Kernel

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13862: Apple

CVE-2017-13867: Ian Beer of Google Project Zero

Entry updated December 21, 2017

Kernel

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2017-13833: Brandon Azad

Kernel

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13876: Ian Beer of Google Project Zero

Kernel

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A type confusion issue was addressed with improved memory handling.

CVE-2017-13855: Jann Horn of Google Project Zero

Kernel

Available for: macOS High Sierra 10.13.1

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13865: Ian Beer of Google Project Zero

Kernel

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2017-13868: Brandon Azad

CVE-2017-13869: Jann Horn of Google Project Zero

Kernel

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.

CVE-2017-7154: Jann Horn of Google Project Zero

Entry added December 21, 2017

 

[logicstudiouser]

What about El Capitan and Sierra?

apple.com/feedback

 

[MacBH928]

I have an older mac that I still use and its on 10.9 Mavericks... I need it for something important and I can not update it. Will it get a security patch?

My newer macbook also still running 10.12 and I have my reasons not to upgrade yet...

 

[unfletch]

Am I correct in reading that the flaw was patched in these security updates (for El Cap, Sierra and HSierra)?:
https://support.apple.com/en-gb/HT208331

Or were these other, unrelated, patches?

--

Quoted from that page:

CVE-2017-13862: Apple
CVE-2017-13867: Ian Beer of Google Project Zero
CVE-2017-13833: Brandon Azad
CVE-2017-13876: Ian Beer of Google Project Zero
CVE-2017-13855: Jann Horn of Google Project Zero
CVE-2017-13865: Ian Beer of Google Project Zero
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero
CVE-2017-7154: Jann Horn of Google Project Zero

They're similar bugs (many even from the same researcher: Jann Horn), but they are not the bugs being discussed today. These are the CVE IDs for the new vulnerabilities, and none are mentioned in that support document as of now:

• CVE-2017-5754 (for "Meltdown")
• CVE-2017-5753 and CVE-2017-5715 (for "Spectre")

(Note that Apple's products may not be vulnerable to all three of those, but we do know they're vulnerable to at least one of them.)

Apple does sometimes update support pages like that one later with additional details, once public disclosure dates have passed, so it could be that the security update did include patches for these CVEs even if they're not listed there yet. (They've already done that on this page for unrelated updates, listing some more fixes on 12/21.)

The disclosure date for these bugs was supposed to have been January 9, but details leaked early. It might be that Apple would have updated that support page on the 9th to mention the other patches. Given details have leaked, I'd expect them to update it ASAP now if those CVEs were patched.

 

[gazonk]

I have an older mac that I still use and its on 10.9 Mavericks... I need it for something important and I can not update it. Will it get a security patch?

Recent security patches have been for El Capitan and newer only. I don't know how old your mac is, but just today I updated an old mac to El Capitan (the latest OS that supports that old iMac).

 

[Solomani]

I'd still replace my battery just to be sure

Do you has $29?

 

[dhess34]

They're similar bugs (many even from the same researcher: Jann Horn), but they are not the bugs being discussed today. These are the CVE IDs for the new vulnerabilities, and none are mentioned in that support document as of now:

• CVE-2017-5754 (for "Meltdown")
• CVE-2017-5753 and CVE-2017-5715 (for "Spectre")

(Note that Apple's products may not be vulnerable to all three of those, but we do know they're vulnerable to at least one of them.)

Apple does sometimes update support pages like that one later with additional details, once public disclosure dates have passed, so it could be that the security update did include patches for these CVEs even if they're not listed there yet. (They've already done that on this page for unrelated updates, listing some more fixes on 12/21.)

The disclosure date for these bugs was supposed to have been January 9, but details leaked early. It might be that Apple would have updated that support page on the 9th to mention the other patches. Given details have leaked, I'd expect them to update it ASAP now if those CVEs were patched.

Came here to post this ^ The CVE’s listed on Apple’s latest security patch aren’t the exact one’s listed by Google, and the descriptions are also different. Unless Apple explicitly states that the last patch did indeed help mitigate Meltdown/Spectre issues, my organization’s treating this as ‘unpatched’ on Macs.

 

[velum]

Exactly, sorry I forgot about those. Yes, VMs are actually the most hardest hit. For OS X users, that'd be running Fusion or Parallels.

It would be interesting to perform benchmark tests on Windows VM's running in Parallels and VMware on a Mac before and after the OS is updated with the patch.

 

[jav6454]

It would be interesting to perform benchmark tests on Windows VM's running in Parallels and VMware on a Mac before and after the OS is updated with the patch.

The first patch has been enabled. However, you need to fully patch Meltdown and Spectre in order to properly asses performance loss.

 

[NielsO]

What’s the wallpapers they used in that picture?

Yeah I'm really curious too! Can someone verify the wallpaper? I know its not the topic.

 

[katbel]

What about El Capitan and Sierra?

Yes, it was fixed (at least partially, read the full document to have more infos)
on Dec 6th as you can read here
https://support.apple.com/en-us/HT208331

P.s. Sorry it was already posted , I saw it just now
Better two than none..... I don't know how to delete it this post

 

[dhess34]

Yes, it was fixed (at least partially, read the full document to have more infos)
on Dec 6th as you can read here
https://support.apple.com/en-us/HT208331

P.s. Sorry it was already posted , I saw it just now
Better two than none..... I don't know how to delete it this post

There’s no evidence that says 10.11 & 10.12 have been patches. The CVE’s/descriptions in Apple’s patch notes don’t align with the CVE’s/descriptions in Google’s post. Every page I’ve investigated that claims it’s been patched has either pointed to the aforementioned patch notes, or literally say ‘an anonymous source said’...

Furthering my skepticism, back when it occurred, Apple directly stated that they’d addressed the major security flaw known as ‘Shellshock’, so there’s precedent of Apple directly saying ‘this issue’s fixed’.

Granted, Apple may come out and say that patch in question DID mitigate (most of) the Meltdown risk, but I’d be wary of counting your systems as patched until we get a definitive answer.

 

[iamasmith]

Came here to post this ^ The CVE’s listed on Apple’s latest security patch aren’t the exact one’s listed by Google, and the descriptions are also different. Unless Apple explicitly states that the last patch did indeed help mitigate Meltdown/Spectre issues, my organization’s treating this as ‘unpatched’ on Macs.

Quite, my thoughts exactly after tracking down each source of a claimed fix to that single Tweet claiming that Apple had fixed the problem.

The Kernel changes quoted seemed to match the existing stated CVEs and may or may not impact Spectre or Meltdown at all.

I'm assuming nothing until there's a proper statement from Apple.

 

[Spectrum]

Quite, my thoughts exactly after tracking down each source of a claimed fix to that single Tweet claiming that Apple had fixed the problem.

The Kernel changes quoted seemed to match the existing stated CVEs and may or may not impact Spectre or Meltdown at all.

I'm assuming nothing until there's a proper statement from Apple.

The question is...why are Apple being so slow to officially announce this is fixed?
...unless it isn't...