Are you tired of hearing about Meltdown and Spectre yet? Well, get used to it, because the security updates keep on coming!
As we mentioned in our FAQ, Apple has already mitigated the effects of Meltdown on Macs in macOS 10.13.2, and of Spectre in iOS devices in iOS 11.2. But at the time of Apple's first announcement last week, there was still the possibility of exploiting the Spectre vulnerability through Javascript in the Safari browser. Apple promised an update to mitigate that avenue of attack was coming soon.
iOS 11.2.2 is that update. As we've explained before, there is no 'fix' for Spectre—it's endemic to the way nearly every modern processor with speculative execution operates. But patches can help mitigate the risk, making it much harder for Spectre to be exploited.
Fixing Safari and WebKit is especially important on iOS, where other web rendering engines are esentially forbidden. You can run other web browsers on iOS, and apps can display web pages, but they all have to use Apple's own WKWebView API to display the web content with Apple's WebKit implementation.
Intel received assistance from operating system contributors to Linux, along with Microsoft and Apple developing operating system-level fixes for Meltdown for Linux, Windows and Mac OS. Fairy Bloom Freesia: n/a n/a Fairy Tale About Father Frost, Ivan and Nastya: n/a n/a Fall of Light: Darkest Edition:? N/a Tested on Linux with Wine Fallen Legion+: n/a n/a Falling words?? Fallout: n/a Tested with Linux using Wine, no configuration needed just install Wine and xterm from a package manager. Fairy Treasure for Mac OS v.1.0. Behold the legend of the Fairy Treasure - about an evil, greedy troll that stole the great treasure from the Kingdom of Trollandia and has carefully guarded it in his cave ever since. In your quest to recapture the treasure you travel along the. Barney takes over my MacBook Air! And calls the O.S. Mac OS X Barney. We will see what happens in this video. And the begining is a bit short. The Version table provides details related to the release that this issue/RFE will be addressed. Unresolved: Release in which this issue/RFE will be addressed. Resolved: Release in which this issue/RFE has been resolved.
In other words, this security update doesn't just fix Safari, it fixes every app that displays web content on your iOS device. So you should definitely install it immediately.
MacOS 10.13.2 supplemental update
Apple already mitigated the effects of Meltdown (which affects only Intel processors) in macOS 10.13.2. Today, about a month after that release, it is pushing out a supplemental update that mitigates the effects of Spectre in Safari and Webkit. Highroad mac os.
All you have to do to install it is launch the App Store and head to the Updates section.
Unlike iOS, macOS does not require all web content to be displayed with Apple's own WebKit rendering engine. So, while this update will help secure Safari and apps that use the WebKit rendering engine, it will not fix other browsers you run on your Mac. If you run Firefox, make sure you update to 57.0.4 or later. An update to the Chrome browser with Spectre mitigations is expected in Chrome 64, currently scheduled for release in late January.
Questions & Answers
Am I affected by the vulnerability?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Fairy Meltdown Mac Os X
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Has Meltdown or Spectre been abused in the wild?
We don't know.
Is there a workaround/fix?
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, MSVC, ARM speculation barrier header).
Which systems are affected by Meltdown?
Fairy Meltdown Mac Os X
Desktop, Laptop, and Cloud computers may be affected by Meltdown. Con amore mac os. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
Why is it called Meltdown?
The vulnerability basically melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
Questions & Answers
Am I affected by the vulnerability?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Fairy Meltdown Mac Os X
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Has Meltdown or Spectre been abused in the wild?
We don't know.
Is there a workaround/fix?
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, MSVC, ARM speculation barrier header).
Which systems are affected by Meltdown?
Fairy Meltdown Mac Os X
Desktop, Laptop, and Cloud computers may be affected by Meltdown. Con amore mac os. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
Why is it called Meltdown?
The vulnerability basically melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Is there more technical information about Meltdown and Spectre?
Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Can I see Meltdown in action?
Can I use the logo?
Both the Meltdown and Spectre logo are free to use, rights waived via CC0. Logos are designed by Natascha Eibl.
Logo | Logo with text | Code illustration | |
---|---|---|---|
Meltdown | PNG / SVG | PNG / SVG | PNG / SVG |
Spectre | PNG / SVG | PNG / SVG | PNG / SVG |
Is there a proof-of-concept code?
Yes, there is a GitHub repository containing test code for Meltdown.
Where can I find official infos/security advisories of involved/affected companies?
Mac Os Mojave
Link | |
---|---|
Intel | Security Advisory / Newsroom / Whitepaper |
ARM | Security Update |
AMD | Security Information |
RISC-V | Blog |
NVIDIA | Security Bulletin / Product Security |
Microsoft | Security Guidance / Information regarding anti-virus software / Azure Blog / Windows (Client) / Windows (Server) |
Amazon | Security Bulletin |
Project Zero Blog / Need to know | |
Android | Security Bulletin |
Apple | Apple Support |
Lenovo | Security Advisory |
IBM | Blog |
Dell | Knowledge Base / Knowledge Base (Server) |
Hewlett Packard Enterprise | Vulnerability Alert |
HP Inc. | Security Bulletin |
Huawei | Security Notice |
Synology | Security Advisory |
Cisco | Security Advisory |
F5 | Security Advisory |
Mozilla | Security Blog |
Red Hat | Vulnerability Response / Performance Impacts |
Debian | Security Tracker |
Ubuntu | Knowledge Base |
SUSE | Vulnerability Response |
Fedora | Kernel update |
Qubes | Announcement |
Fortinet | Advisory |
NetApp | Advisory |
LLVM | Spectre (Variant #2) Patch / Review __builtin_load_no_speculate / Review llvm.nospeculateload |
CERT | Vulnerability Note |
MITRE | CVE-2017-5715 / CVE-2017-5753 / CVE-2017-5754 |
VMWare | Security Advisory / Blog |
Citrix | Security Bulletin / Security Bulletin (XenServer) |
Xen | Security Advisory (XSA-254) / FAQ |