1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

New macOS security update protects Safari from Spectre exploits

By Cal Jeffrey
Jan 8, 2018
Post New Reply
  1. In the wake of major security flaws recently found in Intel processors released over the last 10 years, companies including Apple, Microsoft, Google and others have been scrambling to get security patches out. The flaws were nicknamed Meltdown and Spectre.

    Even though the holes were only announced publically last week, tech companies have known about them since they were discovered by Google’s Project Zero in June of last year. Most vendors had software patches out by the time of the announcement but some created even more problems, like Microsoft’s patch that borked some Athlon processors.

    Other patches, like the one included in macOS 10.13.2 released last November, took care of Meltdown exploits but still left computers vulnerable to Spectre. Spectre was proving more difficult to remedy for Apple but today, it pushed out another security update to protect users from it.

    Apple’s support page on the patch claims Safari and WebKit are now protected from Spectre exploits (CVE-2017-5753 and CVE-2017-5715). Aside from thanking the Google team and others for helping by finding and researching the exploits, details of the fix were light. However, Apple did issue a statement going into greater detail.

    "The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU.

    Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or "rogue data cache load." The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation.

    Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or "bounds check bypass," and CVE-2017-5715 or "branch target injection." These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. On January 8th Apple released updates for Safari on macOS and iOS to mitigate these exploit techniques."

    As of today, iOS, macOS and tvOS (watchOS was not vulnerable) should all be protected from both Meltdown and Spectre as long as the operating systems are up-to-date. Even though the threats have been mitigated, Apple still warns against installing apps from unknown publishers.

    "Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store."

    Permalink to story.

     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...