'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw

"Meltdown" is a flaw currently believed to affect only Intel processors and "melts security boundaries which are normally enforced by the hardware". "Spectre" is a flaw that affects Intel, AMD, and ARM processors due to the way "speculative execution" is handled.
Both could theoretically be used to read information from a computer's memory, including private information like passwords, photos, messages, and more.
Apple has apparently already started patching Meltdown in macOS. Here's what you need to know.
January 22, 2018: Apple's Mac not affected by Intel's issues with Spectre microcode patches
Intel has identified an issue that affected Broadwell and Haswell processors that had been updated with Intel's microcode patches to mitigate against the Spectre exploit.
Apple didn't rush to apply Intel's microcode patches but, thus far, has provided patches for WebKit and Safari to prevent potential JavaScript-based Spectre exploits instead.
For those interested, or potentially affected through other products, here's what Intel had to say:
As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.
Based on this, we are updating our guidance for customers and partners:
- We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
- We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
- We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.
I apologize for any disruption this change in guidance may cause. The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.
I will keep you updated as we learn more and thank you for your patience.
January 15, 2018: No, iOS 11.2.2's Spectre patch isn't crippling older iPhones. Sigh.
A strange story began gaining traction over the weekend. It was based on a set of comparative CPU benchmarks for an iPhone before and after the iOS 11.2.2, posted to the internet, that appeared to show significant addition slowdown post-update. And the blame for the slowdown was placed squarely on iOS 11.2.2's Spectre mitigation.
Which should have set off alarm bells for anyone covering the story because iOS 11.2.2 patches Spectre not at the OS level but at the browser level.
From Apple (opens in new tab):
iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
So, the affects of any Spectre mitigations wouldn't manifest in direct CPU benchmarks at all.
What happened? John Poole, the developer of the Geekbench benchmark tool, has the answer:
Regarding the "story" of iOS 11.2.2 #Spectre mitigations further slowing down older iPhones. (Spoiler: Looks like bad testing coupled with careless reporting.) https://t.co/sj4nQaOmsBRegarding the "story" of iOS 11.2.2 #Spectre mitigations further slowing down older iPhones. (Spoiler: Looks like bad testing coupled with careless reporting.) https://t.co/sj4nQaOmsB— Rene Ritchie (@reneritchie) January 15, 2018January 15, 2018
Meltdown and Spectre are some the biggest issues the industry has ever faced. It's natural for people to be confused and unfortunately typical for publishers to rush for headlines.
But we owe it to ourselves and our audiences, be they social or traditional, to take a breath, take our time, and get this stuff right.
January 8, 2018:
Apple today pushed out iOS 11.2.2 for iOS and a supplemental update to macOS 10.13.2. These add the first in what may be a series of updates to help protect the Safari web browser from Spectre-based attacks.
From Apple (opens in new tab):
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generationDescription: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
Also from Apple (opens in new tab):
Available for: macOS High Sierra 10.13.2Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
There were also updates for Safari 11.0.2 for macOS 10.12 Sierra and OS X 10.11 El Capitan.
Following the updates, WebKit, the open-source engine behind Safari, has shared what Meltdown and Spectre mean for its technology stack.
From WebKit.org:
To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim's processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user's processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit's security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.
- WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties.
- Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown.
This document explains how Spectre and Meltdown affect existing WebKit security mechanisms and what short-term and long-term fixes WebKit is deploying to provide protection against this new class of attacks. The first of these mitigations shipped on Jan 8, 2018:
- iOS 11.2.2.
- High Sierra 10.13.2 Supplemental Update. This reuses the 10.13.2 version number. You can check
- if your Safari and WebKit are patched by verifying the full version number in About Safari. The version number should be either 13604.4.7.1.6 or 13604.4.7.10.6. Safari 11.0.2 for El Capitan and Sierra. This reuses the 11.0.2 version number. Patched versions are 11604.4.7.1.6 (El Capitan) and 12604.4.7.1.6 (Sierra).
Again, these are just the first in what may be a series of WebKit and Safari-based updates to protect against Spectre-based exploits.
January 5, 2018: Apple corrects security bulletin, removes Sierra and El Capitan from update list
Yesterday, Apple updated it's software patch bulletin to include High Sierra, Sierra, and El Capitan in the list of macOS / OS X versions patched to mitigate against Meltdown. Today, Apple updated again to remove Sierra and El Capitan.
So, only macOS High Sierra has been patched against Meltdown to date. Hopefully, patches for Sierra and El Capitan will be pushed asap.
January 4, 2018: Apple and Intel update on Meltdown and Spectre
Apple has posted a knowledge base article detailing both the updates the company has already pushed out to address Meltdown on macOS, iOS, and tvOS (watchOS is not affected), and its plans to push further updates to protect Safari from Spectre.
From Apple (opens in new tab):
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
According to Apple Support (opens in new tab), Meltdown was patched for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6.
Update: Apple has updated the support page to correct the previous version and reflect that only macOS High Sierra has currently been patched. Hopefully, we'll still see the updates for Sierra and El Capitan soon as well.
In terms of what, if any performance hits the updates may cause, the news is good:
Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
And:
Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.
Intel has also released a follow up statement:
Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.
"Immune" is pretty strong language. Let's hope Intel is using it out of confidence and not bravado.
Why is this all so confusing?
Good question! We're dealing with a couple of exploits across several flaws. Chipset vendors like Intel, AMD, and ARM, and platform-makers including Apple, Microsoft, and the Linux Foundation, were apparently working under a mutually agreed-upon embargo originally set to drop the week of January 8, 2018.
Updates made to Linux, however, were spotted and eventually picked up by The Register the week of January 1, 2018. A full week early.
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.
Because it contained only partial information it led to a lot of uncertainty and speculation.
So, what are Meltdown and Spectre exactly?
Meltdown and Spectre are flaws in most modern central processing units (CPU) that allow speculative references to probe privileged data.
From Google:
Last year, Google's Project Zero team discovered serious security flaws caused by "speculative execution," a technique used by most modern processors (CPUs) to optimize performance.The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.
Project Zero has more information on the flaws.
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].So far, there are three known variants of the issue:Variant 1: bounds check bypass (CVE-2017-5753)Variant 2: branch target injection (CVE-2017-5715)Variant 3: rogue data cache load (CVE-2017-5754)
Who discovered Meltdown and Spectre?
According to the information pages on Meltdown and Spectre:
Meltdown was independently discovered and reported by three teams:
- Jann Horn (Google Project Zero),
- Werner Haas, Thomas Prescher (Cyberus Technology),
- Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)
Spectre was independently discovered and reported by two people:
- Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
How are Intel processors affected by Meltdown?
Meltdown likely affects every Intel chipset that implements out-of-order execution. That includes the x86 and x64 chips found in most personal computers and many servers going back to 1995. It also includes Itanium and Atom chips going back to 2013.
The early focus on Intel in the media likely prompted the company to get its statement out first, ahead of everyone else:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits.Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Because the phrasing wasn't specific as to which exploit affected which vendor, it added to some of the confusion.
Intel has since issued a new statement, claiming that patches have rendered its processors "immune" to Meltdown and Spectre.
From Intel:
Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.
That's an incredibly bold statement. Hopefully, Intel was completely certain before issuing it.
The Mac uses Intel processors — how is the Mac affected by Meltdown and Spectre?
Apple has used x86/x64 processors since switching the Mac to Intel in 2006. That means every modern Mac is affected by Meltdown and Spectre. The good news is that Apple patched against Meltdown back in December of 2017.
From Apple (opens in new tab):
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Apple Support (opens in new tab), briefly listed patches for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 but those were removed the next day and only High Sierra is currently listed.
Which versions of macOS / OS X have been patched against Meltdown and Spectre:
- macOS High Sierra: Patched against Meltdown in 10.13.2
That means software patches are now available for Macs going back to:
- iMac (Late 2009 & later)
- MacBook Air (2010 or newer)
- MacBook (Late 2009 or newer)
- Mac mini (2010 or newer)
- MacBook Pro (2010 or newer)
- Mac Pro (2010 or newer)
Patches for Safari to address Spectre are still forthcoming.
How is Meltdown being patched?
Because Meltdown can't be patched in hardware, operating system makers are patching it in software. The patches are variations of KAISER — kernel address isolation to have side-channels efficiently removed.
From LWN:
Whereas current systems have a single set of page tables for each process, KAISER implements two. One set is essentially unchanged; it includes both kernel-space and user-space addresses, but it is only used when the system is running in kernel mode. The second "shadow" page table contains a copy of all of the user-space mappings, but leaves out the kernel side. Instead, there is a minimal set of kernel-space mappings that provides the information needed to handle system calls and interrupts, but no more. Copying the page tables may sound inefficient, but the copying only happens at the top level of the page-table hierarchy, so the bulk of that data is shared between the two copies.
Basically, instead of letting everything mingle together for speed, KAISER separates it out for security.
So, the patch is what causes a performance hit?
Correct. From the same explanation on LWN:
KAISER will affect performance for anything that does system calls or interrupts: everything. Just the new instructions (CR3 manipulation) add a few hundred cycles to a syscall or interrupt. Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.
Is AMD affected as well — reports seem to disagree?
AMD doesn't appear to be affected by Meltdown but does seem to be affected by Spectre, which has caused some confusion. AMD also seems to think Spectre isn't a real-world risk.
An AMD engineer, before the embargo lifted, claimed AMD wasn't affected.
AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
AMD also told Fortune the risk was "near zero":
"Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time," the company said in a statement. "We expect the security research to be published later today and will provide further updates at that time."
Whether AMD is referring to Meltdown exclusively or Spectre as well is... unclear.
Apple currently doesn't use CPUs made by AMD in any of its products, only GPUs, so, regardless of how this part shakes out, it won't have any affect on Mac users.
What about ARM? Apple uses ARM chips in iPhone, iPad, and Apple TV, right?
Right. Apple originally licensed ARM designs. Starting with iPhone 5s, Apple switched to licensing the ARM v8 instruction set so the company could make its own, custom designs.
Unlike AMD, it looks like ARM might be affected by both Meltdown and Spectre.
Ryan Smith, writing for AnandTech:
The immediate concern is an exploit being called Meltdown, which primarily affects Intel's CPUs, but also has been confirmed to affect some ARM CPU designs as well. With Meltdown it is possible for malicious code to abuse Intel and ARM's speculative execution implementations to get the processor to leak information from other processes – particularly the all-knowing operating system kernel. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, or other virtual machines.
ARM has issued the following statement:
Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed and not based on a flaw or bug. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. A definitive list of the small subset of Arm-designed processors that are susceptible can be found below.
Apple has since put out a technical note on the status of ARM-based vulnerabilities and software patches.
From Apple (opens in new tab):
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown.
And to defend against Spectre:
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.
No word yet on what, if any, updates might be made available for previous versions of iOS, and tvOS.
Which versions of iOS and tvOS are patched against Meltdown and Spectre?
Current versions of iOS and tvOS patch against Meltdown.
- iOS 11.2
- tvOS 11.2
For iOS, that means devices now patched include:
- iPhone X
- iPhone 8
- iPhone 8 Plus
- iPhone 7
- iPhone 7 Plus
- iPhone SE
- iPhone 6s
- iPhone 6s Plus
- iPhone 6
- iPhone 6 Plus
- iPhone 5s
- iPad Pro 10.5-inches
- iPad Pro 9.7-inches
- iPad Pro 12.9-inches
- iPad Air 2
- iPad Air
- iPad mini 4
- iPad mini 3
- iPad mini 2
- iPod touch 6
For tvOS, that means devices now patched include:
- Apple TV 4K (Late 2017)
- Apple TV (Late 2015)
Previous versions of Apple TV didn't run full apps (only TV Markup Language apps made in partnership with Apple) so it's unclear if they face any risk from Meltdown or Spectre.
Patches for Safari to mitigate against Spectre are still forthcoming.
Apple Watch isn't affected by Meltdown or Spectre?
Apparently not. Apple Watch was designed to run under extremely power sensitive conditions and, as such, the S-series system-in-package inside it doesn't use the type of speculative execution architecture vulnerable to Meltdown.
Apple Watch also doesn't have any front facing web browser capability, so there's no risk from Spectre-based JavaScript attacks targeting browsers.
How can you protect against Meltdown-based attacks?
For home users on Intel-based computers, including Macs, Meltdown can only be exploited by code running on your machine. That means someone first needs to have physical access to your computer or has to trick you into installing malware through phishing or some other form of social engineering attack.
The patches being issued by Apple and other platform-makers should mitigate even that risk over time.
How can you protect against Spectre-based attacks?
Spectre affects a wider range of devices, could well be much harder to mitigate, but also seems to be much harder to exploit.
Details are still emerging, though. So, we'll have to wait and see.
Should you worry? Is it time to panic and burn it all down?
Not just yet.
For now, stay informed and stay updated. As the patches come out both now and in the future, download and install them.
No code or architecture is perfect. There will always be bugs. There will always be flaws. Some of them will seem gobsmackingly stupid. What matters is how quickly and well vendors respond to them.
In this case, it looks like everyone is responding as quickly as possible for as many customers as possible.
More as it develops.
Originally published on January 3, 2018. Last updated January 5, 2018.
iMore Newsletter
Get the best of iMore in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
-
The thing I want to know is, will Apple fix this in older MacOS/OS X versions, for those consumers who still use older hardware?
-
Yes, they will. They'll also include code that'll slow down said hardware to a crawl - way past the expected 5 to 30% dip - to get you to buy new stuff. They can blame it all on Intel this time.
-
Let's not be too hasty. Apple released the first part of their solution to Meltdown back at the end of November last year (10.13.2). Have you benchmarked before and after?
-
Here's my numbers from yesterday Geekbench 3.3.2
Hexacore Mac Pro (2013)
10.10.3
single multi
32 bit 3127 18019
64 bit 3513 20375 10.12
single multi
32 bit 3258 18240
64 bit 3571 20338 10.13.2
single multi
32 bit 3291 18569
64 bit 3529 20001 So far so good... -
No they won't. If it does slow down, that is actually on Intel's part.
-
Apologetic nonsense. What you say is valid only if you bought an Intel boxed processor.
And you are ignoring ARM, including A-series. What defense would you offer there if you make claims against Intel? -
The only thing Apple has slowed down is iPhones based on battery age. That has nothing, it's complete entirety, to do with this. If there is any slow down, it's not by Apple, so who is it?
-
This is the lunacy of brand fandom... Fandom puts the brand over the customer. The customer shouldn't need to care who's at fault. The purchased device is faulty. You did read that fixing these faults with the cpus "may slow processing by 30%"? Didn't you? This impacts all cpus based on Intel and ARM, including Apple's. Apple sells a lot of both, as embedded componets in devices, to customers. Yes, Apple would be accountable (to customers) for the Intel chips in Macs. Intel would then be accountable to Apple. In summary:
a) Intel didn't sell Mac customer's any chips, Apple did. Intel may be accountable to Apple, but not directly to Mac customers.
b) During that hypothetical argument between Intel and Apple, any accusations Apple applies against Intel, apply to Apple themselves for their A Series Chips. -
Most consumer processors are unlikely to be effected, especially gamers. Some benchmarks are show insignificantly faster speeds. Servers, on the other hand, will likely see major slow downs. https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2 By the way, from the logic of your argument, I can tell you aren't a lawyer, at least from the US. We sue everyone involved here.
-
But what argument could Apple make against Intel that doesn't turn against their own ARM? It's like ******* against the wind, not a good idea. Thanks for the kudos, no I'm not a lawyer.
-
Apple's A chips are based on ARM designs. Apple has been making Processor for only a few years where this is a 20 year issue with Intel. I'm just saying. Not quite the same thing at all.
-
So, you're trusting what Intel says about a competitor's product, over what the competitor says? Everything I've seen, as well as the Security Now podcast I just finished, says AMD is not impacted. You didn't even provide the information neutrally, saying "Intel claims AMD is impacted, AMD says they're not". We won't know for a month, so why call it as fact? Intel has a *lot* of reason to lie. If Intel cloud servers suddenly lose 5-30% power vs their AMD counterparts? Hence Intel wants to spread the FUD that AMD is 100% impacted. Can we look at what the Linux Kernel devs themselves said? https://lkml.org/lkml/2017/12/27/2 "AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against." -
the bug reporters say AMD is affected. did you read the blog posts from the bug reporters themselves (linked and quoted above)? "For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1]."
-
Linus Torvalds approved AMD's exception to the Linux KPTI patch that addresses "Meltdown" https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... Exploiting meltdown is relatively trivial (script kiddie level), and thus far has not been shown to work on AMD (not sure about ARM). You're possibly thinking of "Spectre", which is mucher harder to exploit, and for which there is no patch. This does indeed affect most modern CPUs, including Intel, AMD and ARM.
-
i think you meant to reply to bobbob1016. you're making my point :)
-
"While AMD initially downplayed the significance of this attack, the company has since published a microcode update to give operating systems the control they need." https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-an...
-
So this is officially a "flaw" while the intentional slowdown of iPhones is considered a "power management issue".
-
The party is done and everyone went home already. What are you still doing here?
-
Well done on that strawman you just created
-
I think you used that term wrong...
-
No he didn't.
-
Not the sharpest pencil in the box are you?
-
Lol. You're one to talk
-
"For home users on Intel-based computers, including Macs, Meltdown can only be exploited by code running on your machine. That means someone first needs to have physical access to your computer or has to trick you into installing malware through phishing or some other form of social engineering attack." That can be done just by visiting a website, right? A website running malicious javascript? The site itself doesn't have to be malicious but a third party could inject or execute the malicious code on it?
-
JavaScript hasn't got full access to your system unless JavaScript itself has an exploit, but this isn't a JavaScript exploit
-
The vulnerability can be exploited via JavaScript :( "Mozilla has officially confirmed that the recently disclosed Meltdown and Spectre CPU flaws can be exploited via web content such as JavaScript files in order to extract information from users visiting a web page." https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-base...
-
Ah, I stand corrected, sorry about that. I think some browsers have included an update now to patch it, so hopefully JavaScript is safe after the update, make sure you update when possible
-
Makes me all nostalgic for PowerPC.
-
Did you update the previous article where you said AMD was impacted by Meltdown where I clarified it wasn't? And how Intel was basically trying to game the situation and force the kernel patch to slow down AMD too so that AMD wouldn't have an advantage?
-
I didn't know there were AMD fanboys.
-
In the PC-building world there are. There's also the whole Nvidia vs AMD for GPUs as well.
-
From where you sit in your walled garden, how would you?
-
What about AppleSeed Beta Testers? Anyone know if they'll be patching those too?
-
Anyone know anything about using Windows 10 via Boot camp? I haven't received the security update via Windows Update even though it was released a week ago
-
Hi All... Is anyone able to confirm or deny if older Apple devices, specifically iPad 2's and iPhone 5C are vulnerable to Meltdown and Spectre? I work at a school where some faculty members have older units and are stuck at iOS 10.3.3. They are worried that they aren't going to be able to patch against this. Is there just not a patch available for it yet? Does 10.3.3 contain the patch?
-
I haven't read anything about specific chips, but the flaw is reportedly around ten years old. That includes for ARM which is the basic of Apples A# chips. That said, there is no known weaponization of the exploit. They should be OK for the moment, but there are other wholes in the armor. https://www.imore.com/krack-wpa2-wi-fi-exploit-already-fixed-ios-macos-t...
-
It is getting more complex by the day. It seems Microsoft has started shutting down older unpatched versions of Anti-virus software, silently because of conflicts from that AV software. So the owner of the computer might not know they lost protection because they haven't been keeping up to date on their Virus software. (Not a lot of sympathy for that here.) There are many, many more issues involved from what I'm reading. And a lot of finger pointing about who is doing good work and who is not. And who is to blame, and how fast the exploits may arrive. Most say not any time soon. There are still way easier exploits out there and these are very difficult to implement. But that chance of it happening increases as time passes and adequate solutions are not put into place. Good luck watching the Keystone Cops shoot each other in the foot as they flail about coming up with workable solutions that don't do something nearly as bad, or worse, than what they claim to be protecting us from.
-
It's not strange that people are wondering if the fix is crippling old iphones. That's what happens when a company destroys its own credibility.
-
What's the current status of 10.12.x Sierra as of 01-20-2018? Looks like only an update to Safari so far, but no other protection of the OS?
-
Safari is the main protection you need at the moment, since JavaScript which runs on most webpages now is susceptible to the exploit. Otherwise, just be careful about what apps you install