Apple Admits Spectre And Meltdown Affects All macOS And iOS Devices
Alphabet’s Google, along with a few other security researchers published a document which chronicled two major flaws found in nearly all modern CPUs. The reason this flaw is much more complex than the usual software or hardware bugs is that it’s more than just a bug that can be fixed with an update. The flaw lies in the middle, at the level of the processors’ “architectures,” in the way all the millions of transistors and logic units work together to carry out tasks.
In the architecture of modern CPUs, there are unpenetrable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.
Meltdown affects Intel processors and works by penetrating through the barrier that prevents applications from accessing arbitrary locations in kernel memory. Spectre affects Intel, AMD, and ARM processors, which basically means that it affects anything with a chip in it, from mobile phones to thermostats.
In a response to this revelation, Apple has come out and conceded that its devices are not immune to the security flaws. In a statement, the company announced that all its macOS and iOS devices are affected but, mitigations are either already in place or in the final stages of being rolled out. Apple has stated that it has already dealt with Meltdown:
Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation.
This is what the company had to say about Spectre:
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser.
Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.
In a nutshell, this means that while Meltdown is no longer a threat, Spectre remains the only major flaw which can be exploited and Apple will soon release a fix for that.