Security researchers at Google Project Zero recently discovered 'worst' CPU bugs Meltdown and Spectre. The security flaw has affected virtually all modern computing devices including all the Apple iPhones, iPads and Mac computers. Apple said, "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time." The company has advised its customers to download apps and software from trusted sources such as its iOS and Mac app stores in order to prevent the hackers from taking the advantage of processor vulnerabilities.
Meltdown is currently thought to primarily affect all Intel processors manufactured since 1995, excluding Itanium and Atom processors manufactured before 2013. The flaw enables a user process to read kernel memory, bypassing the hardware barrier and as such access the secrets of other programs and operating system. Spectre, on the contrary, affects most of the modern processors manufactured by Intel, AMD and ARM tricking applications to give up secret information.
While Intel and ARM said that the issue has nothing to do with a design flaw, it will still require users to download a patch and update their OS to fix the problem. Although the security flaw can be fixed, Google and security researchers say that it is hard to know whether hackers had already exploited Meltdown and Spectre and it will be really difficult to detect such intrusions, since the hack will leave no traces in the log files. Besides, early reports also suggest that the fix require separating the kernel memory completely from user processes, which is likely to slow down the machine. Intel, however, denied that the fix will not slow down the computers saying, “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
The support document from Apple also says that the company has already released mitigations in iOS 11.2, macOS 10.13.2 and tvOS 11.2 to defend against Meltdown. Also, the vulnerability has not affected Apple Watch. The company is planning to release mitigations in Safari as well in order to defend against Spectre. The document says, “Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.” Customers of Apple products are requested to update their devices with the latest software, if they haven’t already.
Meltdown and Spectre were discovered back in June and July 2017
The security flaws Meltdown and Spectre were reported in June. Google said that it already informed the affected companies about Spectre in June and Meltdown in July. While both Google and Intel were already planning to release the details of the flaw by 9th January, the early reports surfaced on the internet forced the companies to announce the flaws sooner.