Late on Jan. 4, Apple issued a new support document highlighting how the recently unearthed chip vulnerabilities involving Intel, ARM, and AMD processors impacts nearly the entirety of Apple’s product line. Specifically, Apple notes that all Macs and iOS devices are technically susceptible to Spectre and Meltdown, two vulnerabilities which could allow a malicious actor to access sensitive user data in protected memory. Apple, though, makes a point of emphasizing that no known exploits have been uncovered.
“All Mac systems and iOS devices are affected,” the support document reads, “but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
As for what Apple is doing to combat the vulnerabilities, which, interestingly enough, were discovered by security researchers at Google’s Project Zero, Apple relays that patches for the Meltdown vulnerability were already issued with the following updates: iOS 11.2, macOS 10.13.2, and tvOS 11.2. Incidentally, Apple notes that watchOS did not require a patch. Additionally, Apple maintains that the updates above have no discernible impact on system performance. This point is worth highlighting given that the original report from The Register claimed that the requisite patches could result in systems running as much as 30% slower.
With respect to the Spectre vulnerability, which Apple notes is “extremely difficult to exploit,” Apple says that iOS and Mac users can expect a patch relatively soon.
To this point, Apple notes:
“Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.”
