Intel Says New Software Updates Make Computers 'Immune' to Meltdown and Spectre Vulnerabilities

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jan 4, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Intel today announced that the firmware updates and software patches that are being released for its CPUs render Intel-based computer systems "immune" to both the Spectre and Meltdown exploits that were widely publicized this week.
    Intel says updates have been issued for the majority of Intel processor products introduced within the past five years, and by the end of next week, more than 90 percent of processor products from the last five years will be patched.

    For Mac users, Apple has already addressed some of the vulnerabilities in the macOS High Sierra 10.13.2 update, and further updates will come in macOS High Sierra 10.13.3. To make sure you're protected as a Mac user, install all of the latest operating system updates and firmware patches. As always, it's also worth avoiding suspicious programs, websites, and links.

    Intel today also reiterated that the updates that are being released for Mac, PC, and Linux machines should not significantly impact day to day usage and should, for the most part, be unnoticeable. That seems to be true of the macOS High Sierra 10.13.2 update, as there have been no reports of slowdowns from Mac users.
    While hints of an Intel CPU design flaw and security vulnerability surfaced on Tuesday, it wasn't until Wednesday that full details were shared on the Meltdown and Spectre exploits, which take advantage of the speculative execution mechanism of a CPU.

    Meltdown impacts Intel CPUs, allowing a malicious program to access data from the memory of running apps, providing passwords, emails, documents, photos, and more. Meltdown can be exploited to read the entire physical memory of a target machine, and it can be done through something as simple as a website. The vulnerability is particularly problematic for cloud-based services.

    Spectre, which breaks the isolation between different applications, is a wider hardware-based problem impacting all modern Intel, ARM, and AMD processors. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

    While patches are going out that appear to prevent the current known Meltdown and Spectre exploits, these speculative execution vulnerabilities will continue to be a problem for years to come, according to security researchers. Similar vulnerabilities will surface, and while performance impacts from software-based workarounds are minor, they're still present.

    Paul Kocher, one of the security researchers who helped discover the flaws, told The New York Times that this will be a "festering problem over hardware life cycles." "It's not going to change tomorrow or the day after," he said. "It's going to take awhile."

    Article Link: Intel Says New Software Updates Make Computers 'Immune' to Meltdown and Spectre Vulnerabilities
     
  2. unashamedgeek macrumors regular

    unashamedgeek

    Joined:
    Sep 21, 2012
    #2
    I pretty sure that so far they have only worked to patch Meltdown. My system is up to date and the Spectre PoC released by Google still works on my MacBook Pro.
     
  3. jclo Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #3
    Another instance where I really wish Apple would provide us with some clarification and additional information.
     
  4. vertical smile macrumors 68030

    vertical smile

    Joined:
    Sep 23, 2014
    #4
    But then I would have to update to High Sierra..... What to do.......
     
  5. EdwardC macrumors regular

    EdwardC

    Joined:
    Jun 3, 2012
    Location:
    Georgia
    #5
  6. alex00100 macrumors 6502

    Joined:
    Mar 17, 2011
    Location:
    Moscow, Russia
    #6
    I’m really curious to see some benchmarks of before and after. Gladly with this amount of people with too much free time on websites such as this I can be confident there will be plenty soon.
     
  7. vertical smile macrumors 68030

    vertical smile

    Joined:
    Sep 23, 2014
    #7
  8. WannaGoMac macrumors 68020

    WannaGoMac

    Joined:
    Feb 11, 2007
    #8
    Wait for the Sierra update. Apple supposedly supports Sierra still...
     
  9. OldSchoolMacGuy Suspended

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #9
    Getting blown into a much bigger deal than it is.
     
  10. polbit macrumors 6502

    polbit

    Joined:
    Sep 18, 2002
    Location:
    South Carolina
    #10
    Do we actually have an official statement from Apple regarding this, or is all the "MacOS has addressed this" based on a developer statement?
     
  11. ctbaz macrumors regular

    Joined:
    Aug 20, 2014
    #11
    That's what it is looking like.
     
  12. JRobinsonJr macrumors 6502a

    Joined:
    Aug 20, 2015
    Location:
    Arlington, Texas
    #12
    With cu processor complexity this type of thing is inevitable. Nothing will every be immune from these vulnerabilities.

    That said, it is also exactly why everything - hardware, software and everything in between - should occasionally go 'back to the drawing board' for a sanity check.
     
  13. unashamedgeek, Jan 4, 2018
    Last edited: Jan 4, 2018

    unashamedgeek macrumors regular

    unashamedgeek

    Joined:
    Sep 21, 2012
    #13
    I think that is going to depend on your definition of a "big deal". I know this is going to be a big deal in my world of pen testing for some time to come as exploits get released. Being able to jump from ring 3 to ring 0 is the main goal once gaining a foothold on a system. Additionally, Mozilla has stated they have proven that a browser can be used to exploit these so if XSS can be used to pull memory contents, I'm going to have some fun engagements coming up.

    EDIT: I forgot to even discuss the potential issues with host and guest systems. Popping a guest OS and being able to access memory on the host, now we're really talking full compromise.
     
  14. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #14
    However, if you are running any kind of significant workload that access the kernel frequently, such as frequent I/O requests used in database applications, then the impact is actually quite severe. People have seen their cloud services go to crap as the providers apply the patches.

    I get that most day to day users may not care about this on their desktops, but step back and think about this a minute. You have a potentially 20-30% CPU performance hit on the cloud. That means that in order to achieve the same performance this week as they did last week, cloud computing providers will have to bump their capacity by potentially 20-30%. Along with that comes more power demands which renewable sources may or may not be able to meet...

    Some of you are saying "this is getting blown out of proportions." I say the impacts of this are just starting to be felt.
     
  15. JLL macrumors regular

    Joined:
    Apr 25, 2003
    Location:
    Copenhagen, Denmark
    #15
    10.13.2 and the security updates for ElCap and Sierra released the same day had the same fixes.

    Apple issues security updates for the current OS plus the two previous OSes.
     
  16. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #16
    Good find. It does look like the mitigations put into 10.13.2 were backported to the security updates of 10.12 and 10.11.
     
  17. MrGuder macrumors 68030

    Joined:
    Nov 30, 2012
  18. Number 9 macrumors newbie

    Joined:
    Mar 1, 2011
    Location:
    London
    #18
    Intel says the fix “is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.” To me this says that people who rely on the performance of their machines and bought the best performance available are indeed going to take a performance hit and maybe even the 30% being bandied about. That is, for those involved, shocking! The bit about it being mitigated over time puts the solution on software developers to develop workarounds.
     
  19. crazy dave, Jan 4, 2018
    Last edited: Jan 4, 2018

    crazy dave macrumors regular

    Joined:
    Sep 9, 2010
    #19
    If I'm reading the below link right ...

    ... then Sierra and El Cap should both already have the Meltdown fix along with High Sierra. But there may be other similar issues that those fixes were meant to address ... (though the descriptions are very close to Meltdown)

    =======================

    I'm intrigued that Intel is claiming that they have also made themselves immune to Spectre as well. I was under the impression from the initial reports that doing so wasn't truly possible in firmware/software. As pointed out by other users, Apple's current fixes appear to be only for Meltdown.
     
  20. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #20
    The "possibly" is a keyword here; "Meltdown" is CVE-2017-5754 which isn't listed on that page.

    This does not necessarily mean that it's not fixed - Intel requested that details were not disclosed so Apple may have snuck in a fix without documenting it.
     
  21. kemal macrumors 65816

    kemal

    Joined:
    Dec 21, 2001
    Location:
    Nebraska
    #21
    [10.11, 10.12 not protected against Meltdown? POSSIBLY NOT means are protected.]

    CVE-2017-13855 =? CVE-2017-5754

    If yes, 10.11 and 10.12 ARE protected. Apple please clarify!
     
  22. leman macrumors G3

    Joined:
    Oct 14, 2008
    #23
    Well, the spectre attack certainly works for me on the latest 10.13.3 beta...
     
  23. MacTiki macrumors member

    Joined:
    Nov 17, 2008
    #24
    Would really like to know if this is going to be addressed for 10.11.6.

    The December update may or may not have “fixed” this issue.

    Looking over the info regarding the update and noticed that several updates were left out of 10.11.6 update.

    For example:

    Kernel

    Available for: macOS High Sierra 10.13.1

    Impact: An application may be able to read restricted memory

    Description: A validation issue was addressed with improved input sanitization.

    CVE-2017-13865: Ian Beer of Google Project Zero


    Kernel

    Available for: macOS High Sierra 10.13.1

    Impact: An application may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue was addressed with improved memory handling.

    CVE-2017-13876: Ian Beer of Google Project Zero
    --- Post Merged, Jan 4, 2018 ---
    Possibly.
     
  24. petsounds macrumors 65816

    Joined:
    Jun 30, 2007
    #25
    Seems like an attempt at damage control to me, coming from the same CEO who dumped all the stock he was legally allowed to sell off late last year.
     

Share This Page