"Meltdown" is a flaw currently believed to affect only Intel processors and "melts security boundaries which are normally enforced by the hardware". "Spectre" is a flaw that affects Intel, AMD, and ARM processors due to the way "speculative execution" is handled.
Both could theoretically be used to read information from a computer's memory, including private information like passwords, photos, messages, and more.
Apple has apparently already started patching Meltdown in macOS. Here's what you need to know.
January 22, 2018: Apple's Mac not affected by Intel's issues with Spectre microcode patches
Intel has identified an issue that affected Broadwell and Haswell processors that had been updated with Intel's microcode patches to mitigate against the Spectre exploit.
For those interested, or potentially affected through other products, here's what Intel had to say:
As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.
Based on this, we are updating our guidance for customers and partners:
- We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
- We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
- We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.
I apologize for any disruption this change in guidance may cause. The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.
I will keep you updated as we learn more and thank you for your patience.
January 15, 2018: No, iOS 11.2.2's Spectre patch isn't crippling older iPhones. Sigh.
A strange story began gaining traction over the weekend. It was based on a set of comparative CPU benchmarks for an iPhone before and after the iOS 11.2.2, posted to the internet, that appeared to show significant addition slowdown post-update. And the blame for the slowdown was placed squarely on iOS 11.2.2's Spectre mitigation.
Which should have set off alarm bells for anyone covering the story because iOS 11.2.2 patches Spectre not at the OS level but at the browser level.
From Apple (opens in new tab):
So, the affects of any Spectre mitigations wouldn't manifest in direct CPU benchmarks at all.
What happened? John Poole, the developer of the Geekbench benchmark tool, has the answer:
Regarding the "story" of iOS 11.2.2 #Spectre mitigations further slowing down older iPhones. (Spoiler: Looks like bad testing coupled with careless reporting.) https://t.co/sj4nQaOmsBRegarding the "story" of iOS 11.2.2 #Spectre mitigations further slowing down older iPhones. (Spoiler: Looks like bad testing coupled with careless reporting.) https://t.co/sj4nQaOmsB— Rene Ritchie (@reneritchie) January 15, 2018January 15, 2018
Meltdown and Spectre are some the biggest issues the industry has ever faced. It's natural for people to be confused and unfortunately typical for publishers to rush for headlines.
But we owe it to ourselves and our audiences, be they social or traditional, to take a breath, take our time, and get this stuff right.
January 8, 2018:
Apple today pushed out iOS 11.2.2 for iOS and a supplemental update to macOS 10.13.2. These add the first in what may be a series of updates to help protect the Safari web browser from Spectre-based attacks.
From Apple (opens in new tab):
Also from Apple (opens in new tab):
There were also updates for Safari 11.0.2 for macOS 10.12 Sierra and OS X 10.11 El Capitan.
Following the updates, WebKit, the open-source engine behind Safari, has shared what Meltdown and Spectre mean for its technology stack.
This document explains how Spectre and Meltdown affect existing WebKit security mechanisms and what short-term and long-term fixes WebKit is deploying to provide protection against this new class of attacks. The first of these mitigations shipped on Jan 8, 2018:
- iOS 11.2.2.
- High Sierra 10.13.2 Supplemental Update. This reuses the 10.13.2 version number. You can check
- if your Safari and WebKit are patched by verifying the full version number in About Safari. The version number should be either 13604.4.7.1.6 or 13604.4.7.10.6. Safari 11.0.2 for El Capitan and Sierra. This reuses the 11.0.2 version number. Patched versions are 11604.4.7.1.6 (El Capitan) and 12604.4.7.1.6 (Sierra).
Again, these are just the first in what may be a series of WebKit and Safari-based updates to protect against Spectre-based exploits.
January 5, 2018: Apple corrects security bulletin, removes Sierra and El Capitan from update list
Yesterday, Apple updated it's software patch bulletin to include High Sierra, Sierra, and El Capitan in the list of macOS / OS X versions patched to mitigate against Meltdown. Today, Apple updated again to remove Sierra and El Capitan.
So, only macOS High Sierra has been patched against Meltdown to date. Hopefully, patches for Sierra and El Capitan will be pushed asap.
January 4, 2018: Apple and Intel update on Meltdown and Spectre
Apple has posted a knowledge base article detailing both the updates the company has already pushed out to address Meltdown on macOS, iOS, and tvOS (watchOS is not affected), and its plans to push further updates to protect Safari from Spectre.
From Apple (opens in new tab):
According to Apple Support (opens in new tab), Meltdown was patched for macOS High Sierra 10.13.2,
macOS Sierra 10.12.6, OS X El Capitan 10.11.6.
Update: Apple has updated the support page to correct the previous version and reflect that only macOS High Sierra has currently been patched. Hopefully, we'll still see the updates for Sierra and El Capitan soon as well.
In terms of what, if any performance hits the updates may cause, the news is good:
Intel has also released a follow up statement:
"Immune" is pretty strong language. Let's hope Intel is using it out of confidence and not bravado.
Why is this all so confusing?
Good question! We're dealing with a couple of exploits across several flaws. Chipset vendors like Intel, AMD, and ARM, and platform-makers including Apple, Microsoft, and the Linux Foundation, were apparently working under a mutually agreed-upon embargo originally set to drop the week of January 8, 2018.
Updates made to Linux, however, were spotted and eventually picked up by The Register the week of January 1, 2018. A full week early.
Because it contained only partial information it led to a lot of uncertainty and speculation.
So, what are Meltdown and Spectre exactly?
Meltdown and Spectre are flaws in most modern central processing units (CPU) that allow speculative references to probe privileged data.
Project Zero has more information on the flaws.
Who discovered Meltdown and Spectre?
According to the information pages on Meltdown and Spectre:
Meltdown was independently discovered and reported by three teams:
- Jann Horn (Google Project Zero),
- Werner Haas, Thomas Prescher (Cyberus Technology),
- Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)
Spectre was independently discovered and reported by two people:
- Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
How are Intel processors affected by Meltdown?
Meltdown likely affects every Intel chipset that implements out-of-order execution. That includes the x86 and x64 chips found in most personal computers and many servers going back to 1995. It also includes Itanium and Atom chips going back to 2013.
The early focus on Intel in the media likely prompted the company to get its statement out first, ahead of everyone else:
Because the phrasing wasn't specific as to which exploit affected which vendor, it added to some of the confusion.
Intel has since issued a new statement, claiming that patches have rendered its processors "immune" to Meltdown and Spectre.
That's an incredibly bold statement. Hopefully, Intel was completely certain before issuing it.
The Mac uses Intel processors — how is the Mac affected by Meltdown and Spectre?
Apple has used x86/x64 processors since switching the Mac to Intel in 2006. That means every modern Mac is affected by Meltdown and Spectre. The good news is that Apple patched against Meltdown back in December of 2017.
From Apple (opens in new tab):
Apple Support (opens in new tab), briefly listed patches for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 but those were removed the next day and only High Sierra is currently listed.
Which versions of macOS / OS X have been patched against Meltdown and Spectre:
- macOS High Sierra: Patched against Meltdown in 10.13.2
That means software patches are now available for Macs going back to:
- iMac (Late 2009 & later)
- MacBook Air (2010 or newer)
- MacBook (Late 2009 or newer)
- Mac mini (2010 or newer)
- MacBook Pro (2010 or newer)
- Mac Pro (2010 or newer)
Patches for Safari to address Spectre are still forthcoming.
How is Meltdown being patched?
Because Meltdown can't be patched in hardware, operating system makers are patching it in software. The patches are variations of KAISER — kernel address isolation to have side-channels efficiently removed.
Basically, instead of letting everything mingle together for speed, KAISER separates it out for security.
So, the patch is what causes a performance hit?
Correct. From the same explanation on LWN:
Is AMD affected as well — reports seem to disagree?
AMD doesn't appear to be affected by Meltdown but does seem to be affected by Spectre, which has caused some confusion. AMD also seems to think Spectre isn't a real-world risk.
An AMD engineer, before the embargo lifted, claimed AMD wasn't affected.
AMD also told Fortune the risk was "near zero":
Whether AMD is referring to Meltdown exclusively or Spectre as well is... unclear.
Apple currently doesn't use CPUs made by AMD in any of its products, only GPUs, so, regardless of how this part shakes out, it won't have any affect on Mac users.
What about ARM? Apple uses ARM chips in iPhone, iPad, and Apple TV, right?
Right. Apple originally licensed ARM designs. Starting with iPhone 5s, Apple switched to licensing the ARM v8 instruction set so the company could make its own, custom designs.
Unlike AMD, it looks like ARM might be affected by both Meltdown and Spectre.
Ryan Smith, writing for AnandTech:
ARM has issued the following statement:
Apple has since put out a technical note on the status of ARM-based vulnerabilities and software patches.
From Apple (opens in new tab):
And to defend against Spectre:
No word yet on what, if any, updates might be made available for previous versions of iOS, and tvOS.
Which versions of iOS and tvOS are patched against Meltdown and Spectre?
Current versions of iOS and tvOS patch against Meltdown.
- iOS 11.2
- tvOS 11.2
For iOS, that means devices now patched include:
- iPhone X
- iPhone 8
- iPhone 8 Plus
- iPhone 7
- iPhone 7 Plus
- iPhone SE
- iPhone 6s
- iPhone 6s Plus
- iPhone 6
- iPhone 6 Plus
- iPhone 5s
- iPad Pro 10.5-inches
- iPad Pro 9.7-inches
- iPad Pro 12.9-inches
- iPad Air 2
- iPad Air
- iPad mini 4
- iPad mini 3
- iPad mini 2
- iPod touch 6
For tvOS, that means devices now patched include:
- Apple TV 4K (Late 2017)
- Apple TV (Late 2015)
Previous versions of Apple TV didn't run full apps (only TV Markup Language apps made in partnership with Apple) so it's unclear if they face any risk from Meltdown or Spectre.
Patches for Safari to mitigate against Spectre are still forthcoming.
Apple Watch isn't affected by Meltdown or Spectre?
Apparently not. Apple Watch was designed to run under extremely power sensitive conditions and, as such, the S-series system-in-package inside it doesn't use the type of speculative execution architecture vulnerable to Meltdown.
How can you protect against Meltdown-based attacks?
For home users on Intel-based computers, including Macs, Meltdown can only be exploited by code running on your machine. That means someone first needs to have physical access to your computer or has to trick you into installing malware through phishing or some other form of social engineering attack.
The patches being issued by Apple and other platform-makers should mitigate even that risk over time.
How can you protect against Spectre-based attacks?
Spectre affects a wider range of devices, could well be much harder to mitigate, but also seems to be much harder to exploit.
Details are still emerging, though. So, we'll have to wait and see.
Should you worry? Is it time to panic and burn it all down?
Not just yet.
For now, stay informed and stay updated. As the patches come out both now and in the future, download and install them.
No code or architecture is perfect. There will always be bugs. There will always be flaws. Some of them will seem gobsmackingly stupid. What matters is how quickly and well vendors respond to them.
In this case, it looks like everyone is responding as quickly as possible for as many customers as possible.
More as it develops.
Originally published on January 3, 2018. Last updated January 5, 2018.
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
The thing I want to know is, will Apple fix this in older MacOS/OS X versions, for those consumers who still use older hardware?
Yes, they will. They'll also include code that'll slow down said hardware to a crawl - way past the expected 5 to 30% dip - to get you to buy new stuff. They can blame it all on Intel this time.
Let's not be too hasty. Apple released the first part of their solution to Meltdown back at the end of November last year (10.13.2). Have you benchmarked before and after?
Here's my numbers from yesterday Geekbench 3.3.2
Hexacore Mac Pro (2013)
32 bit 3127 18019
64 bit 3513 20375 10.12
32 bit 3258 18240
64 bit 3571 20338 10.13.2
32 bit 3291 18569
64 bit 3529 20001 So far so good...
No they won't. If it does slow down, that is actually on Intel's part.
Apologetic nonsense. What you say is valid only if you bought an Intel boxed processor.
And you are ignoring ARM, including A-series. What defense would you offer there if you make claims against Intel?
The only thing Apple has slowed down is iPhones based on battery age. That has nothing, it's complete entirety, to do with this. If there is any slow down, it's not by Apple, so who is it?
This is the lunacy of brand fandom... Fandom puts the brand over the customer. The customer shouldn't need to care who's at fault. The purchased device is faulty. You did read that fixing these faults with the cpus "may slow processing by 30%"? Didn't you? This impacts all cpus based on Intel and ARM, including Apple's. Apple sells a lot of both, as embedded componets in devices, to customers. Yes, Apple would be accountable (to customers) for the Intel chips in Macs. Intel would then be accountable to Apple. In summary:
a) Intel didn't sell Mac customer's any chips, Apple did. Intel may be accountable to Apple, but not directly to Mac customers.
b) During that hypothetical argument between Intel and Apple, any accusations Apple applies against Intel, apply to Apple themselves for their A Series Chips.
Most consumer processors are unlikely to be effected, especially gamers. Some benchmarks are show insignificantly faster speeds. Servers, on the other hand, will likely see major slow downs. https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2 By the way, from the logic of your argument, I can tell you aren't a lawyer, at least from the US. We sue everyone involved here.
But what argument could Apple make against Intel that doesn't turn against their own ARM? It's like ******* against the wind, not a good idea. Thanks for the kudos, no I'm not a lawyer.
Apple's A chips are based on ARM designs. Apple has been making Processor for only a few years where this is a 20 year issue with Intel. I'm just saying. Not quite the same thing at all.
So, you're trusting what Intel says about a competitor's product, over what the competitor says? Everything I've seen, as well as the Security Now podcast I just finished, says AMD is not impacted. You didn't even provide the information neutrally, saying "Intel claims AMD is impacted, AMD says they're not". We won't know for a month, so why call it as fact? Intel has a *lot* of reason to lie. If Intel cloud servers suddenly lose 5-30% power vs their AMD counterparts? Hence Intel wants to spread the FUD that AMD is 100% impacted. Can we look at what the Linux Kernel devs themselves said? https://lkml.org/lkml/2017/12/27/2 "AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against."
the bug reporters say AMD is affected. did you read the blog posts from the bug reporters themselves (linked and quoted above)? "For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 ."
Linus Torvalds approved AMD's exception to the Linux KPTI patch that addresses "Meltdown" https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... Exploiting meltdown is relatively trivial (script kiddie level), and thus far has not been shown to work on AMD (not sure about ARM). You're possibly thinking of "Spectre", which is mucher harder to exploit, and for which there is no patch. This does indeed affect most modern CPUs, including Intel, AMD and ARM.
i think you meant to reply to bobbob1016. you're making my point :)
"While AMD initially downplayed the significance of this attack, the company has since published a microcode update to give operating systems the control they need." https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-an...
So this is officially a "flaw" while the intentional slowdown of iPhones is considered a "power management issue".
The party is done and everyone went home already. What are you still doing here?
Well done on that strawman you just created
I think you used that term wrong...
No he didn't.
Not the sharpest pencil in the box are you?
Lol. You're one to talk
Makes me all nostalgic for PowerPC.
Did you update the previous article where you said AMD was impacted by Meltdown where I clarified it wasn't? And how Intel was basically trying to game the situation and force the kernel patch to slow down AMD too so that AMD wouldn't have an advantage?
I didn't know there were AMD fanboys.
In the PC-building world there are. There's also the whole Nvidia vs AMD for GPUs as well.
From where you sit in your walled garden, how would you?
What about AppleSeed Beta Testers? Anyone know if they'll be patching those too?
Anyone know anything about using Windows 10 via Boot camp? I haven't received the security update via Windows Update even though it was released a week ago
Hi All... Is anyone able to confirm or deny if older Apple devices, specifically iPad 2's and iPhone 5C are vulnerable to Meltdown and Spectre? I work at a school where some faculty members have older units and are stuck at iOS 10.3.3. They are worried that they aren't going to be able to patch against this. Is there just not a patch available for it yet? Does 10.3.3 contain the patch?
I haven't read anything about specific chips, but the flaw is reportedly around ten years old. That includes for ARM which is the basic of Apples A# chips. That said, there is no known weaponization of the exploit. They should be OK for the moment, but there are other wholes in the armor. https://www.imore.com/krack-wpa2-wi-fi-exploit-already-fixed-ios-macos-t...
It is getting more complex by the day. It seems Microsoft has started shutting down older unpatched versions of Anti-virus software, silently because of conflicts from that AV software. So the owner of the computer might not know they lost protection because they haven't been keeping up to date on their Virus software. (Not a lot of sympathy for that here.) There are many, many more issues involved from what I'm reading. And a lot of finger pointing about who is doing good work and who is not. And who is to blame, and how fast the exploits may arrive. Most say not any time soon. There are still way easier exploits out there and these are very difficult to implement. But that chance of it happening increases as time passes and adequate solutions are not put into place. Good luck watching the Keystone Cops shoot each other in the foot as they flail about coming up with workable solutions that don't do something nearly as bad, or worse, than what they claim to be protecting us from.
It's not strange that people are wondering if the fix is crippling old iphones. That's what happens when a company destroys its own credibility.
What's the current status of 10.12.x Sierra as of 01-20-2018? Looks like only an update to Safari so far, but no other protection of the OS?