Apple has released software updates for its operating systems after confirming that all its devices are affected by the microchip flaws dubbed Spectre and Meltdown.
The tech industry has scrambled to fix the chip flaws that apply to all modern processors and could leave consumers and businesses at risk of having their data accessed or stolen.
While all Mac systems and iOS devices are affected, Apple said there were no known exploits impacting Apple device users and recommended downloading software only from trusted sources.
Apple has released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and said the Apple Watch was unaffected.
The impact of the mitigations for Meltdown have been estimated as high as a 30% reduction in performance, but Apple claimed that updates it had released so far resulted in “no measurable reduction in the performance” of macOS and iOS.
Apple also plans to release mitigations in its Safari browser to help defend against Spectre “in the coming days” and said testing indicated that the Safari mitigations would have little or no measurable performance impact.
The company said it would continue to develop and test further mitigations for Spectre and Meltdown, and these would be released in future updates of iOS, macOS, tvOS, and watchOS.
Exploits prey on speculative execution
The Meltdown and Spectre exploits take advantage of a modern CPU performance feature called speculative execution, which improves speed by operating on multiple instructions at once.
To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
But the Meltdown and Spectre exploitation techniques abuse speculative execution, also known as out-of-order execution, to access privileged memory – including that of the kernel – from a less-privileged user process such as a malicious app running on a device.
Meltdown specifically refers to an exploit known as “rogue data cache load” (CVE-2017-5754) which can enable a user process to read kernel memory. According to Apple, Meltdown has the most potential to be exploited.
Read more about Spectre and Meltdown
- According to the Carnegie Mellon University Software Engineering Institute, Meltdown and Spectre need to be addressed by applying updates and replacing the affected CPU hardware.
- AMD shares rise on news that the performance of millions of Windows PCs, Linux servers and Apple Macs is to be affected by critical updates for a recently discovered security flaw in Intel chips manufactured in the past 10 years.
- Intel advises business customers to apply a security update for some versions of its administration firmware for vPro processors to fix a remote execution flaw.
Researchers who uncovered the flaws said Meltdown potentially affected every Intel processor made since 1995 that implements out-of-order execution, with the exception of Itanium and Atom.
Spectre refers to two different exploitation techniques known as CVE-2017-5753, or “bounds check bypass”, and CVE-2017-5715, or “branch target injection”. These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
The Spectre vulnerability has been verified by researchers as affecting chips made by Intel, AMD and ARM, but AMD claimed there was “near zero risk” to its processors from Spectre due to differences in chip architecture, while ARM noted that the majority of its chips were unaffected.
Security fixes a work in progress
Like Apple, Microsoft and Google have been working on software updates to mitigate the chip flaws since they were disclosed by researchers in late 2017, and have begun releasing those updates. According to Google, its Android phones are protected if users have applied the latest security updates.
And as previously reported by Computer Weekly, the cloud provider community has mobilised to protect users from the security flaws, but researchers have suggested that replacing all underlying CPU hardware may be required to eradicate the risk of exploitation.
The financial services industry is also concerned about the potential impact of the chip flaws, and according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), its members continue to assess the actual risk and seek additional information about the vulnerabilities and their potential impact.
“The financial services community takes all vulnerabilities seriously and takes proactive measures to ensure proper risk mitigation,” the organisation said, noting that in addition to the security considerations raised by Meltdown and Spectre, performance degradation is expected.
This performance impact, FS-ISAC said, could require more processing power for affected systems to compensate and maintain current baseline performance, which means additional costs may also be a factor to maintain current system and application performance.
“Even outside of the known performance hit, fixing kernel-level vulnerabilities typically requires more testing than browser, office productivity applications and other patches due to the underlying direct link to the operating system.
“There will need to be consideration and balance between fixing the potential security threat versus the performance and other possible impact to systems. The current general thought is that the security risk will be lower on dedicated servers and endpoints (due to the expected exploit requirement to run code on an individual system) and higher on shared computers such as hosting and cloud services which use the same physical hardware (and processor) to share different (user) virtual machines,” the FS-ISAC said.