Meltdown and Spectre
Michael Simon reveals why you shouldn’t panic
By now you will have heard about the Spectre and Meltdown CPU flaws, but you might not fully understand what the issue is and how you can protect yourself against the risks. We’re here to help. Here’s how these vulnerabilities affect your Apple devices and what you can so to keep them safe.
Meltdown and Spectre FAQ
What is the issue here? There are three separate potential security issues at play here, one named Meltdown and two named Spectre. They all take advantage of something called speculative execution. Basically, modern CPUs try to
speed things up by taking educated guesses to predict what the next operation will be, and will go so far as to execute them ahead of time. If the prediction is correct, the CPU has an answer all ready to go. If it’s incorrect, the ‘speculative execution’ is removed. The whole process is nearly instantaneous and should be invisible to the software and operating system. The Meltdown and Spectre bugs allow hackers to read and access this information in the OS kernel memory by taking advantage of the delay in its rollback.
What devices do they effect?
In a nutshell, all of them. If you have a PowerMac G5 or an iPhone 3GS, you’re probably okay, but all modern Macs and iOS devices are affected. While Meltdown mainly affects Intel-based Macs and PCs, in Apple’s case it also affects iOS devices. Spectre affects all iOS, macOS, and tvOS. WatchOS is unaffected by the Meltdown and Spectre flaws.
What’s Apple doing to fix it?
Well, there isn’t really a real fix. These exploits rely on flaws baked right into the very design of the CPUs themselves. The best Apple or anyone can do is mitigate the risk, and Apple is already taking steps to do so. In December, Apple released macOS 10.13.2, iOS 11.2, and tvOS 11.2 with mitigations to lessen the risk, and iOS 11.2.2 also “includes security improvements to Safari and WebKit to mitigate the effects of Spectre”. Additionally, Safari 11.0.2 includes mitigations against Spectre on macOS. Apple says more mitigations are on the way.
What about older operating systems?
It’s unclear from Apple’s statement, but presumably it will issue security updates to address the issue, as evidenced by this support page ( fave.co/2CU8R1H). If you have a system new enough to run macOS High Sierra and iOS 11, your best bet is to update. If you have an older system for which those OSes are not supported, you don’t have any choice but to hold tight.
Will my device be affected?
It’s too early to say, but Apple assured users that there won’t be any noticeable performance impact. It says it ran the December update through Geekbench, Speedometer, JetStream, and ARES-6 and saw “no measurable reduction in the performance of macOS and iOS”. Additionally, it has tested its Safari mitigations with the similar results, including an impact of less than 2.5 percent using the JetStream benchmark.
How can I protect my device from attack?
Update your operating system This is the obvious answer, but it’s also the best one. As we said, there is no real fix for Meltdown or Spectre, just ways to make exploits harder to pull off. Apple has already begun taking steps to protect users, but they will only be effective if they’re installed.
So, if you can update your Mac and iOS device to High Sierra and iOS 11, respectively, do so. Apple has squashed many of the early bugs and the latest versions are running smoothly, so if you want the best protection from Meltdown and Spectre, the latest version of the latest OSes are the best way to do it.
Update Safari, Firefox, and Chrome
Apart from macOS, iOS, and tvOS, Apple is also updating Safari to address a possible JavaScript exploit of the Spectre flaw. This will be arriving soon, so check the updates tab in the App Store app to install it once it arrives. Firefox 57.0.4 adds protections to that browser, and Chrome 64 (to be released on 23 January) will do the same for Google’s browser. In the meantime, an optional feature called Site Isolation can help reduce risk in Chrome.
Don’t download apps from untrusted developers
Hackers can’t get into your system unless you let them in, so be mindful of where your apps are coming from, especially in the Mac. Obviously, the Mac App Store is the safest way to download apps, but there are a number of legitimate developers that offer apps
outside Apple’s store. Most of them are safe to install, but you should do some research before hitting the download button. macOS already users by default when launching apps from unidentified developers, so pay attention to any prompts you get when opening an app for the first time. Stay vigilant As Apple says, the risk to users is fairly low, but the scale here is massive. With hundreds of million vulnerable devices, hackers are going to be working overtime to exploit these flaws, so be aware of a anything amiss with your device or accounts, and take the appropriate action if necessary.