Melt­down and Spec­tre

Michael Si­mon re­veals why you shouldn’t panic

iPad&iPhone user - - CONTENTS -

By now you will have heard about the Spec­tre and Melt­down CPU flaws, but you might not fully un­der­stand what the is­sue is and how you can pro­tect your­self against the risks. We’re here to help. Here’s how these vul­ner­a­bil­i­ties af­fect your Ap­ple de­vices and what you can so to keep them safe.

Melt­down and Spec­tre FAQ

What is the is­sue here? There are three sep­a­rate po­ten­tial se­cu­rity is­sues at play here, one named Melt­down and two named Spec­tre. They all take ad­van­tage of some­thing called spec­u­la­tive ex­e­cu­tion. Ba­si­cally, mod­ern CPUs try to

speed things up by tak­ing ed­u­cated guesses to pre­dict what the next op­er­a­tion will be, and will go so far as to ex­e­cute them ahead of time. If the pre­dic­tion is cor­rect, the CPU has an an­swer all ready to go. If it’s in­cor­rect, the ‘spec­u­la­tive ex­e­cu­tion’ is re­moved. The whole process is nearly in­stan­ta­neous and should be in­vis­i­ble to the soft­ware and op­er­at­ing sys­tem. The Melt­down and Spec­tre bugs al­low hack­ers to read and ac­cess this in­for­ma­tion in the OS ker­nel mem­ory by tak­ing ad­van­tage of the de­lay in its roll­back.

What de­vices do they ef­fect?

In a nut­shell, all of them. If you have a Pow­erMac G5 or an iPhone 3GS, you’re prob­a­bly okay, but all mod­ern Macs and iOS de­vices are af­fected. While Melt­down mainly af­fects In­tel-based Macs and PCs, in Ap­ple’s case it also af­fects iOS de­vices. Spec­tre af­fects all iOS, macOS, and tvOS. WatchOS is un­af­fected by the Melt­down and Spec­tre flaws.

What’s Ap­ple do­ing to fix it?

Well, there isn’t re­ally a real fix. These ex­ploits rely on flaws baked right into the very de­sign of the CPUs them­selves. The best Ap­ple or any­one can do is mit­i­gate the risk, and Ap­ple is al­ready tak­ing steps to do so. In De­cem­ber, Ap­ple re­leased macOS 10.13.2, iOS 11.2, and tvOS 11.2 with mit­i­ga­tions to lessen the risk, and iOS 11.2.2 also “in­cludes se­cu­rity im­prove­ments to Sa­fari and We­bKit to mit­i­gate the ef­fects of Spec­tre”. Ad­di­tion­ally, Sa­fari 11.0.2 in­cludes mit­i­ga­tions against Spec­tre on macOS. Ap­ple says more mit­i­ga­tions are on the way.

What about older op­er­at­ing sys­tems?

It’s un­clear from Ap­ple’s state­ment, but pre­sum­ably it will is­sue se­cu­rity up­dates to ad­dress the is­sue, as ev­i­denced by this sup­port page ( fave.co/2CU8R1H). If you have a sys­tem new enough to run macOS High Sierra and iOS 11, your best bet is to up­date. If you have an older sys­tem for which those OSes are not sup­ported, you don’t have any choice but to hold tight.

Will my de­vice be af­fected?

It’s too early to say, but Ap­ple as­sured users that there won’t be any no­tice­able per­for­mance im­pact. It says it ran the De­cem­ber up­date through Geek­bench, Speedome­ter, JetStream, and ARES-6 and saw “no mea­sur­able re­duc­tion in the per­for­mance of macOS and iOS”. Ad­di­tion­ally, it has tested its Sa­fari mit­i­ga­tions with the sim­i­lar re­sults, in­clud­ing an im­pact of less than 2.5 per­cent us­ing the JetStream bench­mark.

How can I pro­tect my de­vice from at­tack?

Up­date your op­er­at­ing sys­tem This is the ob­vi­ous an­swer, but it’s also the best one. As we said, there is no real fix for Melt­down or Spec­tre, just ways to make ex­ploits harder to pull off. Ap­ple has al­ready be­gun tak­ing steps to pro­tect users, but they will only be ef­fec­tive if they’re in­stalled.

So, if you can up­date your Mac and iOS de­vice to High Sierra and iOS 11, re­spec­tively, do so. Ap­ple has squashed many of the early bugs and the lat­est ver­sions are run­ning smoothly, so if you want the best pro­tec­tion from Melt­down and Spec­tre, the lat­est ver­sion of the lat­est OSes are the best way to do it.

Up­date Sa­fari, Fire­fox, and Chrome

Apart from macOS, iOS, and tvOS, Ap­ple is also up­dat­ing Sa­fari to ad­dress a pos­si­ble JavaScript ex­ploit of the Spec­tre flaw. This will be ar­riv­ing soon, so check the up­dates tab in the App Store app to in­stall it once it ar­rives. Fire­fox 57.0.4 adds pro­tec­tions to that browser, and Chrome 64 (to be re­leased on 23 Jan­uary) will do the same for Google’s browser. In the mean­time, an op­tional fea­ture called Site Iso­la­tion can help re­duce risk in Chrome.

Don’t down­load apps from un­trusted de­vel­op­ers

Hack­ers can’t get into your sys­tem un­less you let them in, so be mind­ful of where your apps are com­ing from, es­pe­cially in the Mac. Ob­vi­ously, the Mac App Store is the safest way to down­load apps, but there are a num­ber of le­git­i­mate de­vel­op­ers that of­fer apps

out­side Ap­ple’s store. Most of them are safe to in­stall, but you should do some re­search be­fore hit­ting the down­load but­ton. macOS al­ready users by de­fault when launch­ing apps from uniden­ti­fied de­vel­op­ers, so pay at­ten­tion to any prompts you get when open­ing an app for the first time. Stay vig­i­lant As Ap­ple says, the risk to users is fairly low, but the scale here is mas­sive. With hun­dreds of mil­lion vul­ner­a­ble de­vices, hack­ers are go­ing to be work­ing over­time to ex­ploit these flaws, so be aware of a any­thing amiss with your de­vice or ac­counts, and take the ap­pro­pri­ate ac­tion if nec­es­sary.

6

Your best pro­tec­tion is to down­load the lat­est ver­sions of the lat­est op­er­at­ing sys­tem

The Mac App Store is the safest place to down­load apps from

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.