Mac Patches For Spectre And Meltdown El Capitan

Posted on by admin

Jan 23, 2018 As outlined in Apple's security support document, Security Update 2018-001 available for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 offers several mitigations for both Meltdown and Spectre.

MacBook Running OS X El Capitan

Text Size

Apple took additional steps this week to protect Mac users from Meltdown and Spectre, two recently disclosed and serious security vulnerabilities.

On Tuesday, alongside the rollout of macOS High Sierra 10.13.3, Apple released two new security updates for older versions of the Mac operating system.

Security Update 2018-001, as the patch is called, mitigates the dangers of Meltdown and Spectre. It also introduces fixes for several other security issues, according to Apple’s support document.

  • Security Update 2018-001 is available for macOS Sierra 10.12.6 and even OS X El Capitan 10.11.6.
  • If you’re running one of these older Mac operating systems, it’s recommended that you update as soon as you can.
Capitan

Since the existence of the Meltdown and Spectre vulnerabilities became known to the public, Apple has been working to mitigate the flaws on its end. It introduced a patch for both flaws in macOS High Sierra 10.13.2, but Mac computers running older versions of Apple’s operating systems were left unprotected — until now, at least.

It’s worth noting that, while some support document text implied that macOS Sierra and OS X El Capitan had already been patched, Apple later retracted those statements. It seems that the security update released today is actually the first mitigation patch for either of those older operating systems.

To download and install the security update, open the App Store app on your Mac, click on Updates in the toolbar, and click the Update button next to the appropriate software update. Alternatively, you can click the Update All button.

Spectre & Meltdown

Spectre and Meltdown are both hardware-side vulnerabilities that affect basically all computers with modern processors. Apple later disclosed that the exploits did impact Mac computers and iOS devices, but noted that iOS and maCOS had been patched by the time news of the vulnerabilities reach the public.

For Spectre, which is an exploit that can be deployed through JavaScript in a web browser, Apple also introduced a fix for Safari in iOS 11.2.2 and macOS 10.13.2 Supplemental Update.

Both vulnerabilities take advantage of the so-called “speculative execution mechanism” in processors. Since the flaw is hardware-based, OS and component
makers must implement software fixes.

Mac Patches For Spectre And Meltdown El Capitan 2

Performance Issues

Because the exploits take advantage of design decisions meant to make CPUs faster, it’s worth noting that introducing fixes for Meltdown and could slow down a computer.

On the other hand, Apple has insisted that its Meltdown fix has no measurable performance impact, according to its own benchmark testing. So, thankfully, while Windows PC computers with Intel processors have been negatively affected by the Meltdown patch, Apple’s machines seem to be in the clear.

Similarly, the Spectre patch for Safari seems to have had little to no impact on the web browser’s performance across operating systems.

iOS device owners, on the other hand, may not be so lucky. Since the release of iOS 11.2.2, benchmark testing seems to indicate that some iPhones may take as much as a 40 percent hit to their performance due to the security patch.

Read Next:Apple Highlights 6 New Features Coming to iOS 11.3

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at the time of this writing. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Security updates for macOS Sierra and OS X El Capitan also include mitigations for Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre.

We continue to develop and test further mitigations for these issues.

Background

The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.

What Is Spectre And Meltdown

The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.

Meltdown

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or 'rogue data cache load.' The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and also in Security Update 2018-001 for macOS Sierra and Security Update 2018-001 for OS X El Capitan. watchOS did not require mitigation.

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Spectre

Spectre is a name covering multiple different exploitation techniques, including—at the time of this writing—CVE-2017-5753 or 'bounds check bypass,' and CVE-2017-5715 or 'branch target injection,' and CVE-2018-3639 or “speculative bounds bypass.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.

Mac Patches For Spectre And Meltdown El Capitan 10

Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. On January 8th Apple released updates for Safari on macOS and iOS to mitigate such timing-based techniques. Testing performed when the Safari mitigations were released indicated that the mitigations had no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques. watchOS is unaffected by Spectre.