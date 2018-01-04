Apple said in a statement Thursday that the Meltdown security hole was “mitigated” in already-shipped patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2. More importantly for those concerned about a potential hit to speed, Apple said the, “updates resulted in no measurable reduction in the performance of macOS and iOS.”

The company also said a Safari update that would “mitigate” the Spectre security hole is coming.

Meltdown and Spectre are significant security vulnerabilities that affect Macs, Windows PCs, Linux boxes, iPhones, Android devices, and many other devices with processors. Apple said Apple Watch was not vulnerable to Meltdown.

Apple’s statement on Meltdown:

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s Statement on Spectre

Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

Note that in both cases, Apple referred to its updates as “mitigations,” rather than “patches.” That choice of wording is most likely related to the complexity of the problems involved and the fundamental ways in which they affect how operating systems do their jobs.