"Meltdown" is a flaw currently believed to affect only Intel processors and "melts security boundaries which are normally enforced by the hardware". "Spectre" is a flaw that affects Intel, AMD, and ARM processors due to the way "speculative execution" is handled.

Both could theoretically be used to read information from a computer's memory, including private information like passwords, photos, messages, and more.

Apple has apparently already started patching Meltdown in macOS. Here's what you need to know.

January 22, 2018: Apple's Mac not affected by Intel's issues with Spectre microcode patches

Intel has identified an issue that affected Broadwell and Haswell processors that had been updated with Intel's microcode patches to mitigate against the Spectre exploit.

Apple didn't rush to apply Intel's microcode patches but, thus far, has provided patches for WebKit and Safari to prevent potential JavaScript-based Spectre exploits instead.

For those interested, or potentially affected through other products, here's what Intel had to say:

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

  • We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.

  • We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.

  • We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

I apologize for any disruption this change in guidance may cause. The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.

I will keep you updated as we learn more and thank you for your patience.

January 15, 2018: No, iOS 11.2.2's Spectre patch isn't crippling older iPhones. Sigh.

A strange story began gaining traction over the weekend. It was based on a set of comparative CPU benchmarks for an iPhone before and after the iOS 11.2.2, posted to the internet, that appeared to show significant addition slowdown post-update. And the blame for the slowdown was placed squarely on iOS 11.2.2's Spectre mitigation.

Which should have set off alarm bells for anyone covering the story because iOS 11.2.2 patches Spectre not at the OS level but at the browser level.

From Apple:

iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

So, the affects of any Spectre mitigations wouldn't manifest in direct CPU benchmarks at all.

What happened? John Poole, the developer of the Geekbench benchmark tool, has the answer:

Meltdown and Spectre are some the biggest issues the industry has ever faced. It's natural for people to be confused and unfortunately typical for publishers to rush for headlines.

But we owe it to ourselves and our audiences, be they social or traditional, to take a breath, take our time, and get this stuff right.

January 8, 2018:

Apple today pushed out iOS 11.2.2 for iOS and a supplemental update to macOS 10.13.2. These add the first in what may be a series of updates to help protect the Safari web browser from Spectre-based attacks.

From Apple:

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

Also from Apple:

Available for: macOS High Sierra 10.13.2

Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

There were also updates for Safari 11.0.2 for macOS 10.12 Sierra and OS X 10.11 El Capitan.

Following the updates, WebKit, the open-source engine behind Safari, has shared what Meltdown and Spectre mean for its technology stack.

From WebKit.org:

To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim's processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user's processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit's security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.

  • WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties.

  • Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown.

This document explains how Spectre and Meltdown affect existing WebKit security mechanisms and what short-term and long-term fixes WebKit is deploying to provide protection against this new class of attacks. The first of these mitigations shipped on Jan 8, 2018:

  • iOS 11.2.2.

  • High Sierra 10.13.2 Supplemental Update. This reuses the 10.13.2 version number. You can check

  • if your Safari and WebKit are patched by verifying the full version number in About Safari. The version number should be either 13604.4.7.1.6 or 13604.4.7.10.6. Safari 11.0.2 for El Capitan and Sierra. This reuses the 11.0.2 version number. Patched versions are 11604.4.7.1.6 (El Capitan) and 12604.4.7.1.6 (Sierra).

Again, these are just the first in what may be a series of WebKit and Safari-based updates to protect against Spectre-based exploits.

January 5, 2018: Apple corrects security bulletin, removes Sierra and El Capitan from update list

Yesterday, Apple updated it's software patch bulletin to include High Sierra, Sierra, and El Capitan in the list of macOS / OS X versions patched to mitigate against Meltdown. Today, Apple updated again to remove Sierra and El Capitan.

So, only macOS High Sierra has been patched against Meltdown to date. Hopefully, patches for Sierra and El Capitan will be pushed asap.

January 4, 2018: Apple and Intel update on Meltdown and Spectre

Apple has posted a knowledge base article detailing both the updates the company has already pushed out to address Meltdown on macOS, iOS, and tvOS (watchOS is not affected), and its plans to push further updates to protect Safari from Spectre.

From Apple:

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

According to Apple Support, Meltdown was patched for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6.

Update: Apple has updated the support page to correct the previous version and reflect that only macOS High Sierra has currently been patched. Hopefully, we'll still see the updates for Sierra and El Capitan soon as well.

In terms of what, if any performance hits the updates may cause, the news is good:

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

And:

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.

Intel has also released a follow up statement:

Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.

"Immune" is pretty strong language. Let's hope Intel is using it out of confidence and not bravado.


Listen to the podcast version:

Get Vector in your inbox:

Subscribe for more: Apple Podcasts | Overcast | Pocket Casts | YouTube | RSS


Why is this all so confusing?

Good question! We're dealing with a couple of exploits across several flaws. Chipset vendors like Intel, AMD, and ARM, and platform-makers including Apple, Microsoft, and the Linux Foundation, were apparently working under a mutually agreed-upon embargo originally set to drop the week of January 8, 2018.

Updates made to Linux, however, were spotted and eventually picked up by The Register the week of January 1, 2018. A full week early.

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

Because it contained only partial information it led to a lot of uncertainty and speculation.

So, what are Meltdown and Spectre exactly?

Meltdown and Spectre are flaws in most modern central processing units (CPU) that allow speculative references to probe privileged data.

From Google:

Last year, Google's Project Zero team discovered serious security flaws caused by "speculative execution," a technique used by most modern processors (CPUs) to optimize performance.

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.

Project Zero has more information on the flaws.

We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].

So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)

Variant 2: branch target injection (CVE-2017-5715)

Variant 3: rogue data cache load (CVE-2017-5754)

Who discovered Meltdown and Spectre?

According to the information pages on Meltdown and Spectre:

Meltdown was independently discovered and reported by three teams:

  • Jann Horn (Google Project Zero),
  • Werner Haas, Thomas Prescher (Cyberus Technology),
  • Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)

Spectre was independently discovered and reported by two people:

  • Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)

How are Intel processors affected by Meltdown?

Meltdown likely affects every Intel chipset that implements out-of-order execution. That includes the x86 and x64 chips found in most personal computers and many servers going back to 1995. It also includes Itanium and Atom chips going back to 2013.

The early focus on Intel in the media likely prompted the company to get its statement out first, ahead of everyone else:

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

Because the phrasing wasn't specific as to which exploit affected which vendor, it added to some of the confusion.

Intel has since issued a new statement, claiming that patches have rendered its processors "immune" to Meltdown and Spectre.

From Intel:

Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.

That's an incredibly bold statement. Hopefully, Intel was completely certain before issuing it.

The Mac uses Intel processors — how is the Mac affected by Meltdown and Spectre?

Apple has used x86/x64 processors since switching the Mac to Intel in 2006. That means every modern Mac is affected by Meltdown and Spectre. The good news is that Apple patched against Meltdown back in December of 2017.

From Apple:

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

Apple Support, briefly listed patches for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 but those were removed the next day and only High Sierra is currently listed.

Which versions of macOS / OS X have been patched against Meltdown and Spectre:

  • macOS High Sierra: Patched against Meltdown in 10.13.2

That means software patches are now available for Macs going back to:

  • iMac (Late 2009 & later)
  • MacBook Air (2010 or newer)
  • MacBook (Late 2009 or newer)
  • Mac mini (2010 or newer)
  • MacBook Pro (2010 or newer)
  • Mac Pro (2010 or newer)

Patches for Safari to address Spectre are still forthcoming.

How is Meltdown being patched?

Because Meltdown can't be patched in hardware, operating system makers are patching it in software. The patches are variations of KAISER — kernel address isolation to have side-channels efficiently removed.

From LWN:

Whereas current systems have a single set of page tables for each process, KAISER implements two. One set is essentially unchanged; it includes both kernel-space and user-space addresses, but it is only used when the system is running in kernel mode. The second "shadow" page table contains a copy of all of the user-space mappings, but leaves out the kernel side. Instead, there is a minimal set of kernel-space mappings that provides the information needed to handle system calls and interrupts, but no more. Copying the page tables may sound inefficient, but the copying only happens at the top level of the page-table hierarchy, so the bulk of that data is shared between the two copies.

Basically, instead of letting everything mingle together for speed, KAISER separates it out for security.

So, the patch is what causes a performance hit?

Correct. From the same explanation on LWN:

KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.

Is AMD affected as well — reports seem to disagree?

AMD doesn't appear to be affected by Meltdown but does seem to be affected by Spectre, which has caused some confusion. AMD also seems to think Spectre isn't a real-world risk.

An AMD engineer, before the embargo lifted, claimed AMD wasn't affected.

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

AMD also told Fortune the risk was "near zero":

"Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time," the company said in a statement. "We expect the security research to be published later today and will provide further updates at that time."

Whether AMD is referring to Meltdown exclusively or Spectre as well is... unclear.

Apple currently doesn't use CPUs made by AMD in any of its products, only GPUs, so, regardless of how this part shakes out, it won't have any affect on Mac users.

What about ARM? Apple uses ARM chips in iPhone, iPad, and Apple TV, right?

Right. Apple originally licensed ARM designs. Starting with iPhone 5s, Apple switched to licensing the ARM v8 instruction set so the company could make its own, custom designs.

Unlike AMD, it looks like ARM might be affected by both Meltdown and Spectre.

Ryan Smith, writing for AnandTech:

The immediate concern is an exploit being called Meltdown, which primarily affects Intel's CPUs, but also has been confirmed to affect some ARM CPU designs as well. With Meltdown it is possible for malicious code to abuse Intel and ARM's speculative execution implementations to get the processor to leak information from other processes – particularly the all-knowing operating system kernel. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, or other virtual machines.

ARM has issued the following statement:

Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.

Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed and not based on a flaw or bug. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.

It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.

The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. A definitive list of the small subset of Arm-designed processors that are susceptible can be found below.

Apple has since put out a technical note on the status of ARM-based vulnerabilities and software patches.

From Apple:

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown.

And to defend against Spectre:

Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.

No word yet on what, if any, updates might be made available for previous versions of iOS, and tvOS.

Which versions of iOS and tvOS are patched against Meltdown and Spectre?

Current versions of iOS and tvOS patch against Meltdown.

  • iOS 11.2
  • tvOS 11.2

For iOS, that means devices now patched include:

  • iPhone X
  • iPhone 8
  • iPhone 8 Plus
  • iPhone 7
  • iPhone 7 Plus
  • iPhone SE
  • iPhone 6s
  • iPhone 6s Plus
  • iPhone 6
  • iPhone 6 Plus
  • iPhone 5s
  • iPad Pro 10.5-inches
  • iPad Pro 9.7-inches
  • iPad Pro 12.9-inches
  • iPad Air 2
  • iPad Air
  • iPad mini 4
  • iPad mini 3
  • iPad mini 2
  • iPod touch 6

For tvOS, that means devices now patched include:

  • Apple TV 4K (Late 2017)
  • Apple TV (Late 2015)

Previous versions of Apple TV didn't run full apps (only TV Markup Language apps made in partnership with Apple) so it's unclear if they face any risk from Meltdown or Spectre.

Patches for Safari to mitigate against Spectre are still forthcoming.

Apple Watch isn't affected by Meltdown or Spectre?

Apparently not. Apple Watch was designed to run under extremely power sensitive conditions and, as such, the S-series system-in-package inside it doesn't use the type of speculative execution architecture vulnerable to Meltdown.

Apple Watch also doesn't have any front facing web browser capability, so there's no risk from Spectre-based JavaScript attacks targeting browsers.

How can you protect against Meltdown-based attacks?

For home users on Intel-based computers, including Macs, Meltdown can only be exploited by code running on your machine. That means someone first needs to have physical access to your computer or has to trick you into installing malware through phishing or some other form of social engineering attack.

The patches being issued by Apple and other platform-makers should mitigate even that risk over time.

How can you protect against Spectre-based attacks?

Spectre affects a wider range of devices, could well be much harder to mitigate, but also seems to be much harder to exploit.

Details are still emerging, though. So, we'll have to wait and see.

Should you worry? Is it time to panic and burn it all down?

Not just yet.

For now, stay informed and stay updated. As the patches come out both now and in the future, download and install them.

No code or architecture is perfect. There will always be bugs. There will always be flaws. Some of them will seem gobsmackingly stupid. What matters is how quickly and well vendors respond to them.

In this case, it looks like everyone is responding as quickly as possible for as many customers as possible.

More as it develops.

Originally published on January 3, 2018. Last updated January 5, 2018.

macOS High Sierra

Main

macOS Sierra