Apple will release software updates for Specter vulnerability soon
Apple has released its statement about the Meltdown and Specter vulnerabilities online. The company confirms that all Mac and iOS devices are affected and says it has already taken measures against Meltdown in its operating systems. Updates against Specter will follow soon.
According to Apple, no exploits have yet appeared that use Meltdown or Specter in attacks on Mac or iOS systems. Exploits would often require a malicious app for users to install, so Apple recommends installing software only from trusted sources such as the App Store.
Apple has patched Meltdown with iOS 11.2, macOS 10.13.2, and tvOS 11.2, updates released in December. The Apple Watch has not been affected by Meltdown. Meltdown mainly affects Intel processors, but there is a chance that the techniques can also be used for processor architectures from other manufacturers. In any case, according to Apple, there is no measurable performance drop in macOS and iOS due to the updates.
According to Apple, Specter is “extremely difficult” to exploit, even through malicious apps running locally. Specter affects Intel and AMD processors as well as ARM chips and is more difficult to patch. There is a possibility that attacks can be carried out on sites via Javascript. In the coming days, Apple will therefore release updates for Safari to counter this. With the benchmarks Speedometer and ARES-6, Apple sees no impact on performance, with JetStream the performance drops by up to 2.5 percent. Later updates to iOS, macOS, tvOS and watchOS should bring further patches against Specter.
Apple is one of many companies educating customers about the impact of Meltdown and Specter. The chip companies Intel, AMD and ARM do the same, as does Microsoft with regard to Azure, Amazon and Google.
Since the vulnerabilities can potentially be exploited via Javascript, browser makers have to make updates. Mozilla reports to have implemented first measures with Firefox 57.0.4. Google is taking measures in Chrome 64, which should be released on January 23. In the meantime, Chrome users can enable site isolation. Microsoft has updated Edge and Internet Explorer 11 as part of Windows security update KB4056890.