This Week's Sponsor:

Kolide

Ensures that if a device isn’t secure it can’t access your apps.  It’s Device Trust for Okta.

Apple Addresses the Meltdown and Spectre Exploits With Additional Mitigations to Come

In a support article, Apple has acknowledged that the recently-disclosed Meltdown and Spectre exploits, which affect virtually every CPU in computers, mobile devices, and other platforms, also impact every Mac and iOS device. Although there are no known exploits of the vulnerabilities, Apple advises that users proceed with caution and download apps from trusted sources only.

Mitigations to defend against Meltdown have already been shipped by Apple in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS is unaffected by Meltdown. Development of mitigations for both exploits is ongoing and new defenses will be released to each Apple OS as they become available.

The support article published by Apple provides a high-level explanation of how each exploit works. If there’s any good news to be found in the widespread concern caused by these exploits it’s that Apple says the recently-released mitigations have no measurable impact on performance:

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s support document also reveals that Spectre can be exploited in web browsers, including Safari, using JavaScript. Apple is working to address the problem with an update to Safari that will be released in the coming days. Apple says that:

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.

The gravity of the exploits, which affect virtually all computing platforms, cannot be understated, but it’s reassuring that the initial mitigations released and those coming in the days ahead should have little or no impact on performance. It’s also worth noting that this is probably not the last we’ll hear about Meltdown and Spectre. As Apple notes:

We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.