Remember that massive macOS High Sierra security flaw that Apple admitted to and finally fixed toward the end of 2017? Ha! Ancient history. Remember Batterygate; back when Apple throttled iPhones to protect us from battery degradation? Some critics wanted Apple to give everyone affected a new battery instead of a measly $29 battery replacement.
Well, well, well. What noxious security issue and uber problem do we have this week? Hmmm. It looks as if there is a massive security hole in all of Intel’s CPUs for the past 10, maybe 20 years or more; and it’s so bad it jumped across platforms and affected ARM-based CPUs, too.
It’s Just Math
This is going to be interesting because it’s not just Apple and it doesn’t even look as if Apple caused the problem. What will tech critics do with themselves during these dark hours?
Technologist Zack Whittaker explains:
Two critical vulnerabilities found in Intel chips can let an attacker steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
Uh oh. This is going to be bad for Apple and nobody else, right? Who knew that low marketshare could be such a positive thing?
The researchers who discovered the vulnerabilities, dubbed “Meltdown” and “Spectre,” said that “almost every system,” since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.
That’s a lot of chips. Intel competitor AMD:
The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.
Whew. That’s a relief. Wait. I don’t have a single device that runs AMD Inside. In fact, only Macs run Intel chips where I work and play. All the rest of my devices run Apple-designed CPUs based on the ARM-architecture.
ARM spokesperson Phil Hughes:
This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory
Uh oh. Apple has over 1-billion customers with iPhones, iPads, Apple Watch, and Apple TV, not to mention about 100-million Mac customers. At least Apple is not being blamed for this catastrophic security problem.
Who’s to blame?
Researchers with Alphabet Inc’s Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered two flaws [Meltdown and Spectre].
What is Apple doing for the Mac? Mike Wuerthele:
Multiple sources within Apple not authorized to speak on behalf of the company have confirmed… that there are routines in 10.13.2 to secure the flaw that could grant applications access to protected kernel memory data. These measures, coupled with existing programming requirements about kernel memory that Apple implemented over a decade appear to have mitigated most, if not all, of the security concerns
Translation: We’re working on it.
How bad is it?
Potentially at risk from the flaw is anything contained in kernel memory, such as passwords, application keys, and file caches. Details surrounding the bug, and how to exploit it, are still under wraps. Intel is unable to fix the flaw with a firmware update.
So, as I understand it, there’s a vulnerability in a few billion CPUs on devices from PCs to smartphones et al, but no in-the-wild exploit that anyone knows about?
Somehow that’s not as reassuring as I want it to be. What can we do? Chris O’Brien:
The Computer Emergency Response Team, or CERT, has issued a statement saying there is only one way to fix the vulnerability: replace the CPU. CERT is based at Carnegie Mellon University and is officially sponsored by the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications.
I have a bad feeling about this.
OK, we know that Intel, ARM, Apple, Microsoft, Linux, Google, and others are working hard to get these vulnerabilities patched before an exploit hits the streets. In the interim, be careful which websites you visit, what files you download and install on your Mac, iPhone, iPad, PC, or smartphone, and stock up on some aspirin. There might be some headaches on the way.