Apple Says Meltdown Was Patched in iOS 11.2, macOS 10.13.2, and tvOS 11.2, with No Measurable Impact to Speed

2 minute read
| Product News

Apple said in a statement Thursday that the Meltdown security hole was “mitigated” in already-shipped patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2. More importantly for those concerned about a potential hit to speed, Apple said the, “updates resulted in no measurable reduction in the performance of macOS and iOS.”

The company also said a Safari update that would “mitigate” the Spectre security hole is coming.

Meltdown and Spectre are significant security vulnerabilities that affect Macs, Windows PCs, Linux boxes, iPhones, Android devices, and many other devices with processors. Apple said Apple Watch was not vulnerable to Meltdown.

Apple’s statement on Meltdown:

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s Statement on Spectre

Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.

Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

Note that in both cases, Apple referred to its updates as “mitigations,” rather than “patches.” That choice of wording is most likely related to the complexity of the problems involved and the fundamental ways in which they affect how operating systems do their jobs.

7
Leave a Reply

Please Login to comment
6 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
davidwilson16iGrouchmrmwebmaxJustCauseS L Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
davidwilson16
Member
davidwilson16

Are there any patches still available??

iGrouch
Member
iGrouch

It seems leaving a stinker of feedback with Apple regarding the vagueness of what they have patched has done the trick. https://support.apple.com/en-us/HT208331 Kind of getting ridiculous with Apple these days. They obviously think with their fat salaries that we are equally rolling in it and will keep feeding mammon by sucking up every new product they release. In more recent years Apple has defined itself as a maker of products for the upper-middle classes. This was patently obvious and driven home when Angela Ahrendts took over the retail division and stated that Apple was a luxury brand. From 2006 to… Read more »

iGrouch
Member
iGrouch

Is there anywhere online that officially state the patches are available or have already been issued in the past as far back as El Capitan? The only OS I see mentioned is 10.13.

JustCause
Member
JustCause

I wonder when the updates for older macOS, iOS and tvOS are coming?
I’m thinking 2-3 versions back…

mrmwebmax
Member
mrmwebmax

+ @JustCause, According to Apple’s release notes, the latest iOS 11.2.1 works on iPhones from 5S and iPads from Air onward. I have a 2013 iPad Air and a 2016 iPhone 7 and upgraded both without issue. Regarding Macs, I still a man using an early 2008 IMac. It is running the most recent OS X it can run, El Capitan 10.11.6. A security patch is available for that version of OS X as well. It appears that that is the oldest OS X to have a patch available. I applied the patch to my ten year old iMac without… Read more »

S L
Member
S L

But what about iOS devices that are blocked from 11.xx updates? They’re still in use and presumably just as vulnerable- doesn’t Apple have an obligation to “mitigate” their risk as well? It’s not like users have control over what iOS their device can accept!

geoduck
Member
geoduck

To me Patch means there is a problem and the software fixes it so the problem no longer exists. Mitigate means there is a problem but the software makes it so the flaw is no longer a danger, but it still exists.
To fill in a hole is a patch. To build a bridge over it is to mitigate it.

“Semantics is my life” Arthur Dietrich