Apple said in a statement Thursday that the Meltdown security hole was “mitigated” in already-shipped patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2. More importantly for those concerned about a potential hit to speed, Apple said the, “updates resulted in no measurable reduction in the performance of macOS and iOS.”
The company also said a Safari update that would “mitigate” the Spectre security hole is coming.
Meltdown and Spectre are significant security vulnerabilities that affect Macs, Windows PCs, Linux boxes, iPhones, Android devices, and many other devices with processors. Apple said Apple Watch was not vulnerable to Meltdown.
Apple’s statement on Meltdown:
Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
Apple’s Statement on Spectre
Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
Note that in both cases, Apple referred to its updates as “mitigations,” rather than “patches.” That choice of wording is most likely related to the complexity of the problems involved and the fundamental ways in which they affect how operating systems do their jobs.