Apple has confirmed that all MAC systems and iOS devices stand affected by the recent processor-led vulnerabilities – Meltdown and Spectre.
Computer security experts have discovered two major security flaws. These Two vulnerabilities have been discovered at the chip level. One – called Meltdown – impacts only Intel chips. The other – called Spectre – impacts all chips including ARM and AMD. It’s a fairly major vulnerability and allows a malware to read memory of other processes.
Issuing confirmation on this, Apple statement says, “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by either Meltdown or Spectre. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.”
Ido Naor, Senior Security Researcher, GReAT and Jornt van der Wiel, Senior Security Researcher GReAT, explains, “Two severe vulnerabilities have been discovered in Intel chips, both of which could enable attackers to seize sensitive information from apps by accessing the core memory. The first vulnerability, Meltdown can effectively remove the barrier between user applications and the sensitive parts of the operating system. The second vulnerability, Spectre, also found in AMD and ARM chips can trick vulnerable applications into leaking their memory contents.”
“Applications installed on a device generally run on ‘user mode’, away from the more sensitive parts of the operating system. If an app needs access to a sensitive area, for example the underlying disc, network or processing unit, it needs to ask permission to use ‘protected mode’. In Meltdown’s case, an attacker could access protected mode and the core memory without requiring permission, effectively removing the barrier – and enabling them to potentially steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
“As they are hardware bugs, patching is a significant job. Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre. Intel has a tool you can use to check if your system is vulnerable to the bugs and Google has published further information here. It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection,” he adds.