All Mac Devices Affected Says Apple.
Apple has said that all iPhones, iPads and Mac computers are affected by two major flaws in computer chips. It emerged this week that tech companies have been racing to fix the Meltdown and Spectre bugs, which could allow hackers to steal data. Apple said it had already released some patches, but there was no evidence that the vulnerability had been exploited. But it advised only downloading software from trusted sources to avoid “malicious” apps. Mac users have often believed that their devices and operating systems are less vulnerable to security issues than, for example, Android phones or computers running Microsoft systems. But the Meltdown and Spectre flaws are found in all modern computer processing units – or microchips – made by Intel and ARM, and together the firms supply almost the entire global computer market.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” Apple said in blog post on the issue. “These issues apply to all modern processors and affect nearly all computing devices and operating systems.” Apple said that it had already released “mitigations” against Meltdown in its latest iPhones and iPad operating system update – iOS 11.2 and the macOS 10.12.2 for its MacBooks and iMacs. Meltdown does not affect the Apple Watch, it said, as the bug was an issue with Intel processors which are not contained in that device. Patches against Spectre, in the form of an update to web browser Safari, will be released “in the coming days.”
What are the bugs?
There are two separate security flaws, known as meltdown and Spectre.
- Meltdown affects laptops, desktop computers and internet servers with Intel chips.
- Spectre potentially has a wider reach. It affects some chips in smartphones, tablets and computers powered by Intel, ARM and AMD.
Bryan Ma, a senior analyst at technology consultancy IDC, says data centres and devices that connect to the cloud are also at risk.
How big is the problem?
First, let’s not panic. The UK’s National Cyber Security Centre (NCSC) said there was no evidence that the vulnerability had been exploited. But now that it has been made public, there’s concern the bugs are discoverable and may be taken advantage of.
The BBC understands the tech industry has known about the issue for at least six months – and that everyone involved, from developers and security experts, had signed non-disclosure agreements. The plan, it seems was to try to keep things under wraps until the flaws had been fully dealt with. Consider the figures for personal computers alone: there are 1.5 billion in use today (desktop and laptop combined), and around 90% are powered by Intel chips, IDC estimates. That means exposure to the Meltdown bug is potentially huge.
What information is at risk?
The bugs allow hackers to potentially read information stored in a computer memory and steal information like passwords or credit card data. Technology analyst Jake Saunders from ABI Research said it was not exactly clear what information might be at risk, but as the security gaps had been exposed “the question is whether other parties can discover and potentially exploit them.”
How do I protect my computer?
Device makers and operating system providers have had time to try to fix this. They are pushing out security updates, or patches, which will protect your computer, tablet or phone against a breach that uses the Meltdown vulnerability. Users should install these updates as soon as they are made available.
Microsoft, Apple and Linux, the three major operating system makers, are all issuing patches. Apple has not said precisely when patches for earlier versions of macOS will be available, but the latest version, numbered 10.13.2, is safe. Microsoft released an emergency Meltdown patch for Windows 10 on 4 January; it will subsequently be applied to Windows 7 and eight machines. Google said Android phones with the most recent security updates are protected, and users of web services like Gmail are also safe. Chromebook users on older versions will need to install an update when it comes. Chrome web browser users are expected to receive a patch on 23 January. Security updates are also in the works for Apple laptops and desktops, though it is not clear whether iPhones and iPads are vulnerable. Cloud services for businesses, including Amazon Web Services and Google Cloud Platform, say they have already patched most services and will fix the rest soon.
Spectre is thought to be much harder to patch, and no fix for it has yet been made widely available.
Credit: The BBC, 4 and 5 January 2018.