On January 23, 2018, Apple released a third set of updates for macOS that backported previous Meltdown patches to older versions of the macOS operating system.
AirPods are great, but they don't work quite as smoothly with Macs as they do iPhones. You can't tell at a glance whether audio will play from the AirPods or your Mac's built-in speaker, you have to dig into a Bluetooth submenu to connect, and then you have to go back to the menu to see when the AirPods are ready for use.
- What is Meltdown? Meltdown is the nickname for one of two major categories of exploits at this time. It may also be referred to as the 'rogue data cache load' technique, or CVE-2017-5754. Successful exploitation could allow an attacker's code running in a user-privileged app to read kernel (superuser-privileged) memory.
- The last version of OS X officially supported by Apple on the original 2006 Mac Pro MA356LL/A (MacPro1,1), 2007 Mac Pro (8-core) MA1186/A (MacPro2,1) and Xserve (Late 2006) MA409LL/A (Xserve1,1) models was OS X 10.7 Lion, and then only when booted with a 32-bit kernel due to their EFI32 firmware.
- Warning #2: If you find that a computer is susceptible to the Meltdown bug, you may want to avoid using it as a multi-user system. Meltdown breaches the CPU's memory protection. On a machine that is susceptible to the Meltdown bug, one process can read all pages used by other processes or by the kernel.
Apple first patched the Meltdown flaw (CVE-2017-5753) on December 6, 2017, with the release of iOS 11.2, macOS 10.13.2, and tvOS 11.2.
The company then patched the Spectre flaws (CVE-2017-5753 and CVE-2017-5715) in a separate security update released on January 8, 2018, for macOS High Sierra 10.13.2, iOS 11.2.2, and Safari 11.0.2.
Yesterday, Apple's security team released supplemental security updates for older macOS versions —macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.
These updates backported the company's Meltdown patch, originally released in December 2017.
Many users have criticized Apple for releasing Meltdown and Spectre patches only for recent OS versions. The criticism came from the fact that users had to update the entire OS to receive a critical security fix. In some cases, updating the OS was not an option, meaning many users were left running an insecure OS.
While Apple's security team is mum on such issues, many experts now expect the company to backport the Spectre flaw to older macOS versions in a future update as well, and maybe backport the patches for older iOS versions too.
Besides the backported Meltdown patches, the macOS security updates also include a fix for a zero-day released at the end of last year by a security researcher known as S1guza.
Apple also released security fixes for other products as well. Please refer to the table below for more details.
Name and information link | Available for | Number of vulnerabilities | Release date |
|---|---|---|---|
| iTunes 12.7.3 for Windows | Windows 7 and later | 2 | 23 Jan 2018 |
| iCloud for Windows 7.3 | Windows 7 and later | 2 | 23 Jan 2018 |
| Safari 11.0.3 | OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.3 | 3 | 23 Jan 2018 |
| watchOS 4.2.2 | All Apple Watch models | 12 | 23 Jan 2018 |
| iOS 11.2.5 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation | 13 | 23 Jan 2018 |
| macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan | macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 | 17 | 23 Jan 2018 |
| tvOS 11.2.5 | Apple TV 4K and Apple TV (4th generation) | 12 | 23 Jan 2018 |
Related Articles:
Questions & Answers
Am I affected by the vulnerability?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Has Meltdown or Spectre been abused in the wild?
We don't know.
Is there a workaround/fix?
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, MSVC, ARM speculation barrier header).
Which systems are affected by Meltdown?
Fairy Meltdown Mac Os X
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
Why is it called Meltdown?
The vulnerability basically melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Is there more technical information about Meltdown and Spectre?
Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Can I see Meltdown in action?
Mac Os Versions
Can I use the logo?
Both the Meltdown and Spectre logo are free to use, rights waived via CC0. Logos are designed by Natascha Eibl.
| Logo | Logo with text | Code illustration | |
|---|---|---|---|
| Meltdown | PNG / SVG | PNG / SVG | PNG / SVG |
| Spectre | PNG / SVG | PNG / SVG | PNG / SVG |
Is there a proof-of-concept code?
Yes, there is a GitHub repository containing test code for Meltdown.
Where can I find official infos/security advisories of involved/affected companies?
| Link | |
|---|---|
| Intel | Security Advisory / Newsroom / Whitepaper |
| ARM | Security Update |
| AMD | Security Information |
| RISC-V | Blog |
| NVIDIA | Security Bulletin / Product Security |
| Microsoft | Security Guidance / Information regarding anti-virus software / Azure Blog / Windows (Client) / Windows (Server) |
| Amazon | Security Bulletin |
| Project Zero Blog / Need to know | |
| Android | Security Bulletin |
| Apple | Apple Support |
| Lenovo | Security Advisory |
| IBM | Blog |
| Dell | Knowledge Base / Knowledge Base (Server) |
| Hewlett Packard Enterprise | Vulnerability Alert |
| HP Inc. | Security Bulletin |
| Huawei | Security Notice |
| Synology | Security Advisory |
| Cisco | Security Advisory |
| F5 | Security Advisory |
| Mozilla | Security Blog |
| Red Hat | Vulnerability Response / Performance Impacts |
| Debian | Security Tracker |
| Ubuntu | Knowledge Base |
| SUSE | Vulnerability Response |
| Fedora | Kernel update |
| Qubes | Announcement |
| Fortinet | Advisory |
| NetApp | Advisory |
| LLVM | Spectre (Variant #2) Patch / Review __builtin_load_no_speculate / Review llvm.nospeculateload |
| CERT | Vulnerability Note |
| MITRE | CVE-2017-5715 / CVE-2017-5753 / CVE-2017-5754 |
| VMWare | Security Advisory / Blog |
| Citrix | Security Bulletin / Security Bulletin (XenServer) |
| Xen | Security Advisory (XSA-254) / FAQ |
