'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw
"Meltdown" is a flaw currently believed to affect only Intel processors and "melts security boundaries which are normally enforced by the hardware". "Spectre" is a flaw that affects Intel, AMD, and ARM processors due to the way "speculative execution" is handled.
Both could theoretically be used to read information from a computer's memory, including private information like passwords, photos, messages, and more.
Apple has apparently already started patching Meltdown in macOS. Here's what you need to know.
January 22, 2018: Apple's Mac not affected by Intel's issues with Spectre microcode patches
Intel has identified an issue that affected Broadwell and Haswell processors that had been updated with Intel's microcode patches to mitigate against the Spectre exploit.
Apple didn't rush to apply Intel's microcode patches but, thus far, has provided patches for WebKit and Safari to prevent potential JavaScript-based Spectre exploits instead.
For those interested, or potentially affected through other products, here's what Intel had to say:
As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Based on this, we are updating our guidance for customers and partners:
- We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
- We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
- We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.
I apologize for any disruption this change in guidance may cause. The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.
I will keep you updated as we learn more and thank you for your patience.
January 15, 2018: No, iOS 11.2.2's Spectre patch isn't crippling older iPhones. Sigh.
A strange story began gaining traction over the weekend. It was based on a set of comparative CPU benchmarks for an iPhone before and after the iOS 11.2.2, posted to the internet, that appeared to show significant addition slowdown post-update. And the blame for the slowdown was placed squarely on iOS 11.2.2's Spectre mitigation.
Which should have set off alarm bells for anyone covering the story because iOS 11.2.2 patches Spectre not at the OS level but at the browser level.
From Apple:
So, the affects of any Spectre mitigations wouldn't manifest in direct CPU benchmarks at all.
What happened? John Poole, the developer of the Geekbench benchmark tool, has the answer:
Regarding the "story" of iOS 11.2.2 #Spectre mitigations further slowing down older iPhones. (Spoiler: Looks like bad testing coupled with careless reporting.) https://t.co/sj4nQaOmsBRegarding the "story" of iOS 11.2.2 #Spectre mitigations further slowing down older iPhones. (Spoiler: Looks like bad testing coupled with careless reporting.) https://t.co/sj4nQaOmsB— Rene Ritchie (@reneritchie) January 15, 2018January 15, 2018
Meltdown and Spectre are some the biggest issues the industry has ever faced. It's natural for people to be confused and unfortunately typical for publishers to rush for headlines.
But we owe it to ourselves and our audiences, be they social or traditional, to take a breath, take our time, and get this stuff right.
January 8, 2018:
Apple today pushed out iOS 11.2.2 for iOS and a supplemental update to macOS 10.13.2. These add the first in what may be a series of updates to help protect the Safari web browser from Spectre-based attacks.
From Apple:
Also from Apple:
There were also updates for Safari 11.0.2 for macOS 10.12 Sierra and OS X 10.11 El Capitan.
Following the updates, WebKit, the open-source engine behind Safari, has shared what Meltdown and Spectre mean for its technology stack.
From WebKit.org:
To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim's processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user's processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit's security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.
- WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties.
- Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown.
This document explains how Spectre and Meltdown affect existing WebKit security mechanisms and what short-term and long-term fixes WebKit is deploying to provide protection against this new class of attacks. The first of these mitigations shipped on Jan 8, 2018:
- iOS 11.2.2.
- High Sierra 10.13.2 Supplemental Update. This reuses the 10.13.2 version number. You can check
- if your Safari and WebKit are patched by verifying the full version number in About Safari. The version number should be either 13604.4.7.1.6 or 13604.4.7.10.6. Safari 11.0.2 for El Capitan and Sierra. This reuses the 11.0.2 version number. Patched versions are 11604.4.7.1.6 (El Capitan) and 12604.4.7.1.6 (Sierra).
Again, these are just the first in what may be a series of WebKit and Safari-based updates to protect against Spectre-based exploits.
January 5, 2018: Apple corrects security bulletin, removes Sierra and El Capitan from update list
Yesterday, Apple updated it's software patch bulletin to include High Sierra, Sierra, and El Capitan in the list of macOS / OS X versions patched to mitigate against Meltdown. Today, Apple updated again to remove Sierra and El Capitan.
So, only macOS High Sierra has been patched against Meltdown to date. Hopefully, patches for Sierra and El Capitan will be pushed asap.
January 4, 2018: Apple and Intel update on Meltdown and Spectre
Apple has posted a knowledge base article detailing both the updates the company has already pushed out to address Meltdown on macOS, iOS, and tvOS (watchOS is not affected), and its plans to push further updates to protect Safari from Spectre.
From Apple:
According to Apple Support, Meltdown was patched for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6.
Update: Apple has updated the support page to correct the previous version and reflect that only macOS High Sierra has currently been patched. Hopefully, we'll still see the updates for Sierra and El Capitan soon as well.
In terms of what, if any performance hits the updates may cause, the news is good:
And:
Intel has also released a follow up statement:
"Immune" is pretty strong language. Let's hope Intel is using it out of confidence and not bravado.
Why is this all so confusing?
Good question! We're dealing with a couple of exploits across several flaws. Chipset vendors like Intel, AMD, and ARM, and platform-makers including Apple, Microsoft, and the Linux Foundation, were apparently working under a mutually agreed-upon embargo originally set to drop the week of January 8, 2018.
Updates made to Linux, however, were spotted and eventually picked up by The Register the week of January 1, 2018. A full week early.
Because it contained only partial information it led to a lot of uncertainty and speculation.
So, what are Meltdown and Spectre exactly?
Meltdown and Spectre are flaws in most modern central processing units (CPU) that allow speculative references to probe privileged data.
From Google:
Project Zero has more information on the flaws.
Who discovered Meltdown and Spectre?
According to the information pages on Meltdown and Spectre:
Meltdown was independently discovered and reported by three teams:
- Jann Horn (Google Project Zero),
- Werner Haas, Thomas Prescher (Cyberus Technology),
- Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)
Spectre was independently discovered and reported by two people:
- Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
How are Intel processors affected by Meltdown?
Meltdown likely affects every Intel chipset that implements out-of-order execution. That includes the x86 and x64 chips found in most personal computers and many servers going back to 1995. It also includes Itanium and Atom chips going back to 2013.
The early focus on Intel in the media likely prompted the company to get its statement out first, ahead of everyone else:
Because the phrasing wasn't specific as to which exploit affected which vendor, it added to some of the confusion.
Intel has since issued a new statement, claiming that patches have rendered its processors "immune" to Meltdown and Spectre.
From Intel:
That's an incredibly bold statement. Hopefully, Intel was completely certain before issuing it.
The Mac uses Intel processors — how is the Mac affected by Meltdown and Spectre?
Apple has used x86/x64 processors since switching the Mac to Intel in 2006. That means every modern Mac is affected by Meltdown and Spectre. The good news is that Apple patched against Meltdown back in December of 2017.
From Apple:
Apple Support, briefly listed patches for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 but those were removed the next day and only High Sierra is currently listed.
Which versions of macOS / OS X have been patched against Meltdown and Spectre:
- macOS High Sierra: Patched against Meltdown in 10.13.2
That means software patches are now available for Macs going back to:
- iMac (Late 2009 & later)
- MacBook Air (2010 or newer)
- MacBook (Late 2009 or newer)
- Mac mini (2010 or newer)
- MacBook Pro (2010 or newer)
- Mac Pro (2010 or newer)
Patches for Safari to address Spectre are still forthcoming.
How is Meltdown being patched?
Because Meltdown can't be patched in hardware, operating system makers are patching it in software. The patches are variations of KAISER — kernel address isolation to have side-channels efficiently removed.
From LWN:
Basically, instead of letting everything mingle together for speed, KAISER separates it out for security.
So, the patch is what causes a performance hit?
Correct. From the same explanation on LWN:
Is AMD affected as well — reports seem to disagree?
AMD doesn't appear to be affected by Meltdown but does seem to be affected by Spectre, which has caused some confusion. AMD also seems to think Spectre isn't a real-world risk.
An AMD engineer, before the embargo lifted, claimed AMD wasn't affected.
AMD also told Fortune the risk was "near zero":
Whether AMD is referring to Meltdown exclusively or Spectre as well is... unclear.
Apple currently doesn't use CPUs made by AMD in any of its products, only GPUs, so, regardless of how this part shakes out, it won't have any affect on Mac users.
What about ARM? Apple uses ARM chips in iPhone, iPad, and Apple TV, right?
Right. Apple originally licensed ARM designs. Starting with iPhone 5s, Apple switched to licensing the ARM v8 instruction set so the company could make its own, custom designs.
Unlike AMD, it looks like ARM might be affected by both Meltdown and Spectre.
Ryan Smith, writing for AnandTech:
ARM has issued the following statement:
Apple has since put out a technical note on the status of ARM-based vulnerabilities and software patches.
From Apple:
And to defend against Spectre:
No word yet on what, if any, updates might be made available for previous versions of iOS, and tvOS.
Which versions of iOS and tvOS are patched against Meltdown and Spectre?
Current versions of iOS and tvOS patch against Meltdown.
- iOS 11.2
- tvOS 11.2
For iOS, that means devices now patched include:
- iPhone X
- iPhone 8
- iPhone 8 Plus
- iPhone 7
- iPhone 7 Plus
- iPhone SE
- iPhone 6s
- iPhone 6s Plus
- iPhone 6
- iPhone 6 Plus
- iPhone 5s
- iPad Pro 10.5-inches
- iPad Pro 9.7-inches
- iPad Pro 12.9-inches
- iPad Air 2
- iPad Air
- iPad mini 4
- iPad mini 3
- iPad mini 2
- iPod touch 6
For tvOS, that means devices now patched include:
- Apple TV 4K (Late 2017)
- Apple TV (Late 2015)
Previous versions of Apple TV didn't run full apps (only TV Markup Language apps made in partnership with Apple) so it's unclear if they face any risk from Meltdown or Spectre.
Patches for Safari to mitigate against Spectre are still forthcoming.
Apple Watch isn't affected by Meltdown or Spectre?
Apparently not. Apple Watch was designed to run under extremely power sensitive conditions and, as such, the S-series system-in-package inside it doesn't use the type of speculative execution architecture vulnerable to Meltdown.
Apple Watch also doesn't have any front facing web browser capability, so there's no risk from Spectre-based JavaScript attacks targeting browsers.
How can you protect against Meltdown-based attacks?
For home users on Intel-based computers, including Macs, Meltdown can only be exploited by code running on your machine. That means someone first needs to have physical access to your computer or has to trick you into installing malware through phishing or some other form of social engineering attack.
The patches being issued by Apple and other platform-makers should mitigate even that risk over time.
How can you protect against Spectre-based attacks?
Spectre affects a wider range of devices, could well be much harder to mitigate, but also seems to be much harder to exploit.
Details are still emerging, though. So, we'll have to wait and see.
Should you worry? Is it time to panic and burn it all down?
Not just yet.
For now, stay informed and stay updated. As the patches come out both now and in the future, download and install them.
No code or architecture is perfect. There will always be bugs. There will always be flaws. Some of them will seem gobsmackingly stupid. What matters is how quickly and well vendors respond to them.
In this case, it looks like everyone is responding as quickly as possible for as many customers as possible.
More as it develops.
Originally published on January 3, 2018. Last updated January 5, 2018.
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.