Apple Releases macOS 10.13.2 and iOS 11.2.2 Update to Address ‘Spectre’ Vulnerabilities
As expected, Apple on Monday released macOS 10.13.2 and iOS 11.2.2. Both updates are free, and address the recently announced hardware-based “Spectre” security vulnerability.
Both update include updates to the Safari web browser and WebKit to mitigate the security flaws found in the Intel and ARM CPUs. A previous update to macOS High Sierra had addressed the “Meltdown” security flaws announced alongside Spectre.
The company’s statement from last week:
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
The macOS High Sierra update can be downloaded and installed from the “Update” tab in the Mac App Store.
The iOS 11.2.2 update can be installed by going to “Settings” -> “General” -> “Software Update” on your iOS device.
A Safari 11.0.2 update is available for those still running macOS Sierra 10.12.6 and OS X El Capitan 10.11.6. The update is designed to mitigate the effects of the Spectre processor flaw.