Update: After being silent on the issue for over 24 hours Apple finally acknowledged that Macs, iPads and iPhones are all vulnerable to Meltdown and Spectre. The company said in an online support document that it has recently added security protections to MacOS and iOS designed to prevent any issues emerging from Meltdown, and is working to update Safari to prevent against another type of attack, dubbed Spectre. The Apple Watch is not affected, it said.
Apple said there are no known exploits for the vulnerabilities and that the iOS and MacOS updates “resulted in no measurable reduction in the performance of macOS and iOS”. There had been concerns that security patches dealing with Meltdown and Spectre will lead to severe performance degradation.
The current updates to MacOS and iOS protect against Meltdown, but Apple said it will look to incorporate better protections against Spectre-type attacks in future updates to those operating systems.
Earlier: Researchers have discovered three flaws in the design of every modern processor that could put millions of computing devices at the mercy of hackers.
The first flaw named ‘Meltdown’ and the very similar second and third ones are called ‘Spectre’. Those names sound alarming but are appropriate as the flaw affects to differing degrees every processor made by Intel, AMD and ARM. Since this is a hardware bug, everything running on affected processors is vulnerable including every major OS (Windows, Linux, and macOS), some mobile devices, and cloud computing providers.
Meltdown was independently discovered by three groups—researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Google’s Project Zero. Spectre was discovered by Project Zero’s Jann Horn and independent researcher Paul Kocher.
Google’s Project Zero team said on Wednesday that the flaw could allow bad actors to gather passwords and other sensitive data from a system’s memory.
“The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc,” said the company in a blog post.
“There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks. We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.”
How does this work?
The research teams identified a flaw with the speculative execution technique used by modern processors to improve performance. When a processor uses speculative execution, instead of performing the tasks in a sequential order, it predicts which calculations it might need to do subsequently. It then solves them in advance and in a parallel fashion. The result is a much faster process.
But, there’s a major flaw in the way modern processors use speculative execution—they don’t check permissions correctly and leak information about speculative commands that don’t end up being run. Bad idea.
User programs can possibly steal glimpses at protected parts of the kernel memory. That is the memory dedicated to the most critical core components of an operating system and system hardware, and it’s supposed to be shielded from user processes at all times to prevent such a malicious game of peek-a-boo. Everything from passwords to stored files could be compromised as a result.
“ONE OF THE most basic premises of computer security is isolation: If you run somebody else’s sketchy code as an untrusted process on your machine, you should restrict it to its own tightly sealed playpen. Otherwise, it might peer into other processes or snoop around the computer as a whole. So when a security flaw in computers’ most deep-seated hardware puts a crack in those walls, as one newly discovered vulnerability in millions of processors has done, it breaks some of the most fundamental protections computers promise—and sends practically the entire industry scrambling.” –
Wired Magazine said on Meltdown and Spectre
A release by the Graz University of Technology goes into a little more detail about the specific flaws,
- “Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”
- “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”
How are companies responding?
Operating Systems (Windows, MacOS and Linux) have pushed out security patches to deal with some of these issues. If you are an “auto-updates on” kind of person, you have likely done all you can at the moment.
“Microsoft is updating Windows 10 today with a special fix for the issue and also making available updates for Windows 7 and Windows 8,” says a report on Axios.
In a blog post, Google disclosed what product actions it is taking with regards to Android, Chrome OS and the Google Cloud. It said other products, such as Chromecast and Google Home aren’t affected.
Apple hasn’t publicly spoken about the issue but a security researcher has suggested that Apple may have provided a preliminary fix with it’s December OS updates.