wnol.info January 22 2018


All Macs, iOS devices affected by chip security flaws - Apple warns

January 22 2018, 12:38 | Guillermo Bowen

Hardware fixes are by nature much slower and more difficult than software fixes. tcareob72/Thinkstock

Hardware fixes are by nature much slower and more difficult than software fixes. tcareob72/Thinkstock

"All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time", the firm said in the statement. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.

The company said in an online support document that it has recently added security protections to MacOS and iOS created to prevent one series of attacks, known as Meltdown, and is working to update Safari to prevent against another type of attack, dubbed Spectre.

Meltdown does not affect the Apple Watch, it said, as the bug was an issue with Intel processors which are not contained in that device.

Spectre is an exploit that breaks the isolation between different applications on chips from Intel, AMD and ARM, and potentially allows hackers to "trick" error-free programmes that normally follow best practices into "leaking" their secrets. In a new support document, Apple says that "all Mac systems and iOS devices are affected" by the vulnerability, but that there are no known exploits impacting customers right now... In the case of Meltdown, Apple says it released mitigations for the exploit in the iOS 11.2, macOS 10.13.2 and tvOS 11.2 updates.

Apple said it would issue a patch to its Safari web browser for those devices 'in the coming days'. The company says that is "has developed and is rapidly issuing updates for all types of Intel-based computer systems", but it is not clear when - or whether - older devices will be treated to patches. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS. He tells Sydell that the problem is found on millions of computers, as well as smartphones and cloud storage provided by companies such as Google, Amazon Web Services, Apple and Microsoft.

Here's the issue: Modern processors are created to perform something called "speculative execution" to enhance performance. And because of a flaw in CPU design, user space, a.k.a. regular programs, can access supposedly protected kernel space memory in order to inject malicious code that the CPU will unwittingly execute in advance.

The circumstances that could lead to using the Spectre vulnerability might be a bit more hard to achieve but can still be done using Javascript running on a web browser.



Other news