On Thursday, Apple confirmed that all Mac systems and iOS devices are affected by Meltdown and Spectre chip flaws, but that no known exploits have impacted its customers. In a post on its website, Apple said updates to its operating systems for iPhones (iOS 11.2), Macs (macOS 10.13.2), and Apple TVs (tvOS 11.2) would defend against Meltdown. These updates do not slow down the devices, it added, and Meltdown does not affect the Apple Watch.
Macs and iOS devices are vulnerable to Spectre attacks through code that can run in Web browsers. Apple said it would issue a patch to its Safari web browser for those devices “in the coming days.” Further updates of iOS, macOS, tvOS, and watchOS will be released to limit the threat of the vulnerabilities, Apple said. It advised only getting apps from its online App Store which vets programs for safety.
Researchers at Google’s Project Zero, academic institutions and private companies published their findings on the vulnerabilities on Wednesday. They said the flaws were discovered last year. Technology companies are working to protect their customers after researchers revealed that major security flaws affecting nearly every modern computer processor could allow hackers to steal stored data – including passwords and other sensitive information – on desktops, laptops, mobile phones and cloud networks around the globe.
The scramble to harden a broad array of devices comes after researchers found two significant vulnerabilities within modern computing hardware, one of which cannot be fully resolved as of yet. Experts say the disclosure of the critical flaws underscores the need to keep up with software updates and security patches and highlights the role independent research plays in prodding tech companies to minimize security weaknesses.
The more pervasive flaw of the two, dubbed Spectre, leaves the world’s supply of microprocessors potentially vulnerable to attack, the researchers said. Although hackers will find it harder to take advantage of Spectre, it is also more challenging for computer manufacturers to ward off, the researchers said. “As it is not easy to fix, it will haunt us for quite some time,” the researchers said, explaining why they chose to call the flaw Spectre.
There’s no complete software patch for Spectre right now, said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defence company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop the malicious behaviour. In the meantime, criminal actors and nation states could further develop the Spectre vulnerability, making attacks easier to execute.
“Right now it’s kind of tricky to take advantage of it,” Daly said. “But it’s not going to stop there. They will improve on it.”
The other flaw, called Meltdown, affects most Intel processors made after 1995. And although security patches exist for devices running Linux, Windows, and OS X, the researchers said, the fix may slow down their performance by as much as 30 percent, according to some estimates.
Intel and AMD both said that Google told the companies about the threats last summer. “Intel is committed to responsible disclosure. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible,” the company said in a blog post Wednesday.
Intel also played down concerns about slowed performance due to the updates, noting that for the “average computer user,” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said.
Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.
Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have or will soon be updated to protect against the newly disclosed vulnerabilities.
Amazon said Wednesday in a blog post that “all but a small single-digit percentage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates.
In a post on the company’s website Wednesday, AMD said that one variant of the Spectre vulnerability was resolved by software and operating system updates. Another variant of Spectre, the company said, has “a near zero risk of exploitation” on its processors. But AMD also told its customers that “total protection from all possible attacks remains an elusive goal” and encouraged them to regularly update their software.
In a statement Thursday, ARM said that the majority of its processors are not affected by Spectre or Meltdown but confirmed that it has been working with Intel, AMD and other partners to develop defences against the vulnerabilities.
“It’s a positive thing that we have independent verification – researchers looking for vulnerabilities,” Daly said. “Most of the software vendors welcome that interaction as long as you see this disclosure in private first, so you have a chance to fix the bugs.”