How Apple users can protect themselves against Spectre and Meltdown
Credit to Author: Jonny Evans| Date: Fri, 05 Jan 2018 06:26:00 -0800
Apple has confirmed that all Macs, iPhones, iPads and other devices (bar Apple Watch) are vulnerable to the newly-revealed Spectre and Meltdown Intel, ARM and AMD processor vulnerabilities.
Taking advantage of a vulnerability that has been around for 20-years, Meltdown and Spectre exploit a CPU performance feature called “speculative execution”. Speculative execution exists to improve computer speed by enabling the processor to work on multiple instructions at once, sometimes in non-sequential order.
“To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software,” Apple explains.
Both Meltdown and Spectre take advantage of speculative execution to access privileged memory — including kernel memory — from a less-privileged user process such as a malicious app running on a device.
In other words, it’s possible to use these exploits to get your data. Though Apple and others in the industry all say this is very challenging and say that no known instances of use of these flaws have been seen. Yet. Apple says all its devices are vulnerable to the bugs, though Apple Watch is not susceptible to Meltdown.
Apple has already published software updates that help defend (it calls it “mitigate”) against the Meltdown bug. iOS 11.2, macOS 10.13.2, and tvOS 11.2 all provide this protection. Apple hasn’t said anything yet about plans to help secure older systems (which I think it must).
Apple also plans to release mitigations in Safari to help defend against Spectre. “We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” the company said.
It’s important all users update their OS and application software as updates are introduced. The company will likely introduce a succession of application and system updates as it seeks to make exploitation of these vulnerabilities increasingly difficult.
Jailbreaking is pretty much a spent force on iOS, all the same those who do jailbreak their devices are potentially more vulnerable to malware, particularly when vulnerabilities exist at a processor level.
Apple states that:
“Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
When it comes to device security this is good advice at all times, but even Apple’s App Store has seen rare incidents in which it has been tricked into distributing malware-laden apps – Xcode Ghost is a particularly good example of this. Such moments are rare – Apple generally does an excellent job preserving device and platform security.
When it comes to Spectre, Apple explains that it is possible (though extremely difficult) to exploit the weakness in JavaScript running in a web browser. Apple will release an update for Safari for Macs and iOS devices in the next few days. That update will mitigate such exploit techniques.
Mac and iOS users may want to avoid using browsers from Google, Microsoft or Mozilla. All three firms have confirmed that at present their software does not protect iOS users against a potential Spectre attack. This will change – watch for security updates.
It’s good practise to be vigilant about what applications you run on your computer (Mac or iOS). Both these newly-revealed exploits need to be running on your system, so it makes sense to avoid installing or using any applications you don’t trust, particularly those acquired from outside of the App Store.
The oldest advice remains critical: Never click links from people you don’t know. While no known exploits have been reported yet, hackers will certainly be working to develop malware to exploit these flaws.
Monitor your secure accounts and services for instances of unauthorized access.
Cloud service providers are also impacted. Amazon, Citrix, Google and Microsoft have all issued documents explaining what protections they have put in place.
Apple says the mitigations against these processors flaws will have no measurable impact on device performance. You may experience a very slight reduction in Safari performance.
If you are an enterprise user or SME it just became extremely important that you conduct a systems audit. You need to make sure that any older (unpatched) systems are quarantined from your networks and ensure they are not carrying or handling any confidential data. It may well be time to dump those Windows XP databases and leaky legacy technologies.
The consequences of these revelations will reverberate for a while, I fear. The challenge exists not just in modern but also in older systems, and with millions of those still in use it seems inevitable hackers will create exploits to attack less secure devices.
This will inevitably create new layers of fire and fury as veteran systems still in use within critical infrastructure deployments are exploited. When it comes to Apple, the perpetual cat and mouse war to secure its platforms just developed a new battle front.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?
Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.