'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw

iMore ^ | January 5, 2018 | By Rene Richie

[Swordmaker]

A series of flaws have been discovered in Intel, AMD, and ARM chipsets that allow speculative references to be probed for privileged data.

"Meltdown" is a flaw currently believed to affect only Intel processors and "melts security boundaries which are normally enforced by the hardware". "Spectre" is a flaw that affects Intel, AMD, and ARM processors due to the way "speculative execution" is handled.

Both could theoretically be used to read information from a computer's memory, including private information like passwords, photos, messages, and more.

Apple has apparently already started patching Meltdown in macOS. Here's what you need to know.

(READ THE FAQ at the source. Lots of information of interest and value there, including for non-Apple intel computers and AMD computers, and other ARM devices.—Swordmaker)

[Swordmaker]

Which versions of macOS / OS X have been patched against Meltdown and Spectre: macOS High Sierra: Patched against Meltdown in 10.13.2 That means software patches are now available for Macs going back to:

• iMac (Late 2009 & later)
• MacBook Air (2010 or newer)
• MacBook (Late 2009 or newer)
• Mac mini (2010 or newer)
• MacBook Pro (2010 or newer)
• Mac Pro (2010 or newer)

Current versions of iOS and tvOS patch against Meltdown.

• iOS 11.2
• tvOS 11.2

For iOS, that means devices now patched include:

• iPhone X
• iPhone 8
• iPhone 8 Plus
• iPhone 7
• iPhone 7 Plus
• iPhone SE
• iPhone 6s
• iPhone 6s Plus
• iPhone 6
• iPhone 6 Plus
• iPhone 5s

• iPad Pro 10.5-inches
• iPad Pro 9.7-inches
• iPad Pro 12.9-inches
• iPad Air 2
• iPad Air
• iPad mini 4
• iPad mini 3
• iPad mini 2
• iPod touch 6

For tvOS, that means devices now patched include:

• Apple TV 4K (Late 2017)
• Apple TV (Late 2015)

Previous versions of Apple TV didn't run full apps (only TV Markup Language apps made in partnership with Apple) so it's unclear if they face any risk from Meltdown or Spectre.

Patches for Safari to address Meltdown and Spectre are still forthcoming.

(These patches will mitigate against Meltdown and Spectre while you are computing only if you update your Macs to macOS HighSierra 10.13.2 and your iOS devices to iOS 11.2, and tvOS 11.2. — Swordmaker)

[Swordmaker]

A pretty comprehensive FAQ and source of information—mostly for Mac and iOS device users which also includes information for other computer and device users—on the Meltdown and Spectre vulnerabilities. Seems to be comprehensive and lacking the hype other sources are heavy in. Well worth going through. — PING!

MeltDown and Spectre FAQ for Apple Users
But Also Good for Other Computer & Device Users
Ping!

Pinging ShadowAce, ThunderSleeps, and dayglored for their ping lists.

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[butlerweave]

This guy has 2 other videos on this https://www.youtube.com/watch?v=STQukPXWkTI&t=306s

[be-baw]

Thanks! Very helpful information. You did your good deed today. What are you going to for us tomorrow? ;-)

[b4its2late]

[Red Badger]

Sounds like Apple is on top of this.

Haven’t heard from MS or the Mfrs..................

[palmer]

From the FAQ: "For home users on Intel-based computers, including Macs, Meltdown can only be exploited by code running on your machine. That means someone first needs to have physical access to your computer or has to trick you into installing malware through phishing or some other form of social engineering attack."

and "Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques."

That's basically what I've been saying. Very similar side channel attacks have been know for about 2 years and there are no effective exploits in the wild. A similar side channel attack on DRAM using javascript was demo'd in 2014 and nobody was able to use it in the wild.

[Albion Wilde]

bump

[butlerweave]

Microsoft is patching but the patch is Bricking computers running older Athlon cpus

[Alas Babylon!]

Microsoft, except for their Surface offerings, only can do operating system patches rather than hardware patching. They are working with the hardware OEMs (Intel, AMD) to provide comprehensive software patching, but understand this is only within the OS, not the chipset or cpu.

And it isn’t bricked as long as you create a system restore point, which is the default in Windows 7 and up. So IF the restore points are not turned off, they system should be recoverable.

Now if hardware patching is being directly applied to the mainboard (CMOS or BIOS upgrade/update), that would be another story, and outside of the Microsoft update realm.

[Red Badger]

That might tend to piss some users off................

[butlerweave]

The only patching you’ll get anyway is software , Intel said get stuffed

[butlerweave]

It bricks Windows 10 and 7 not the bios ,good reason to move to Linux

[Red Badger]

I would hope that MS has a un-do for the ‘patch’..................

[Alas Babylon!]

All you need to do is boot up from the install DVD or USB stick, and then apply the recovery snapshot from the OS.

When you boot up to recovery from the install media, it is actually running Windows PE on a RAMDisk, so the original hard drives and OS are exposed for operations to recover, like finding the restore point snap shot and reapplying it to the operating system.

It would be like a new install with your data restored from the time you took the snap shot, minus the patch that caused the bricking.

[Celerity]

What I see in this:

Your actual PC isn’t a concern. When someone learns to exploit this, it will be _the of the world as we know it_.

All military systems, all power generation. If you can get a password, then it’s been controlled. So the people who figure out how to exploit would be stupid to surf a computer looking for banking information. They could control the world.

The next 10 years will be interesting. This will loom over us for more than a decade.