Roger Fingas
Updates released in early December should already have dealt with "Meltdown" and "Spectre" vulnerabilities on older Intel Macs, according to Apple's release notes — but a late Friday retraction of the claim has shed some doubt on the situation.
Fixes for several Intel-related flaws were included in Security Update 2017-002 for Sierra, and Security Update 2017-005 for El Capitan. Apple yesterday confirmed that "mitigations" against Meltdown were implemented in macOS 10.13.2, iOS 11.2, and tvOS 11.2. watchOS is immune to the flaw.
Spectre remains a concern in Apple's Mac and iOS Web browser, Safari. That should be patched within the next few days, possibly even later on Friday.
The company is also developing broader fixes for iOS, macOS, tvOS, and watchOS, but it's unclear when those will be released to the public.
Both Meltdown and Spectre exploit a feature in Intel and ARM processors called "speculative execution," which calculates multiple instruction branches simultaneously, predicting which one is most likely to be used. On unpatched devices, the vulnerabilities can be used to access restricted memory spaces such as a kernel.
While some reports have claimed that fixes can slow down processors, Apple said its own testing has shown little if any impact.
Update: On Friday afternoon, Apple removed the section of the support document detailing the "Meltdown" patch for Sierra and El Capitan. AppleInsider has conflicting information on this from inside Apple, with some claiming that the security patch didn't have the Meltdown fix, and others claiming that the documentation withdrawal was performed in error.
At present, the security document states that there is no patch for Meltdown in Sierra and El Capitan, and AppleInsider suggests that device administrators proceed assuming that there is no protection from the attack at this time on machines with older operating systems. We will update this post accordingly should we get more information on the topic.
Malcolm Owen
William Gallagher
Charles Martin
Christine McKee
Wesley Hilliard
Andrew Orr
15 Comments
Call me a noob, but it looks like the specific Meltdown issue id, CVE-2017-5754 is only mentioned in the release notes of the Apple security update for High Sierra, not Sierra or El Capitan?
Please clear this up for me. Everything report I see on the news is that the Spectre vulnerability is a hardware issue that can only be fixed by replacement. How could Apple patch this by an update?