Apple Adds Spectre Protections to Safari, WebKit
Updates released by Apple on Monday for iOS, macOS and Safari should mitigate the effects of the vulnerabilities exploited by the recently disclosed attack method named Spectre. Apple informed customers that iOS 11.2.2 and macOS High Sierra 10.13.2 Supplemental Update include security improvements for Safari and WebKit. The Safari improvements are also included in version 11.0.2 of Apple’s web browser.
The latest updates address the Spectre vulnerabilities, specifically CVE-2017-5753 and CVE-2017-5715. Mitigations for the Meltdown attack were rolled out by Apple, before the flaws were disclosed, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Apple Watch is not vulnerable to either of the attack methods.
Meltdown and Spectre can be used by malicious actors to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. The attacks work against devices with Intel, AMD and ARM processors. Intel has been hit the hardest, while AMD claims the risk of attacks is low and ARM found that only ten of its CPUs are impacted.
Patches and workarounds have already been released by several major vendors, but they can introduce significant performance penalties, and Microsoft’s updates may also break Windows and various apps. Related: Qualcomm Working on Mitigations for Spectre, Meltdown Related: Lawsuits Filed Against Intel Over CPU Vulnerabilities
- ^ iOS 11.2.2 (support.apple.com)
- ^ macOS High Sierra 10.13.2 Supplemental Update (support.apple.com)
- ^ version 11.0.2 (support.apple.com)
- ^ remote exploitation (www.securityweek.com)
- ^ Meltdown and Spectre (www.securityweek.com)
- ^ Patches and workarounds (www.securityweek.com)
- ^ break (www.securityweek.com)
- ^ Qualcomm Working on Mitigations for Spectre, Meltdown (www.securityweek.com)
- ^ Lawsuits Filed Against Intel Over CPU Vulnerabilities (www.securityweek.com)
- ^ Industry Reactions to Meltdown, Spectre Attacks (www.securityweek.com)