
About speculative execution vulnerabilities in ARM-based and Intel CPUs - gok
https://support.apple.com/en-us/HT208394
======
drdrey
I must say I am pleasantly surprised by the straightforward, no BS language

~~~
tischler
Except they forgot to tell us about older versions of macOS which probably
75%[1] of Apple users still use.

[1] [http://gs.statcounter.com/macos-version-market-
share/desktop...](http://gs.statcounter.com/macos-version-market-
share/desktop/worldwide)

~~~
thelibrarian
Security Updates were released for 10.6 and 10.5 (2017-002 and 2017-005
respectively).

~~~
0x0
Where do you see updates for 10.6 and 10.5? According to
[https://support.apple.com/en-us/HT208331](https://support.apple.com/en-
us/HT208331) \- there was a 2017-002 for 10.12 and a 2017-005 for 10.11.

~~~
thelibrarian
Yes, I did mean 10.12.6 and 10.11.6.

------
AaronFriel
> Our testing with public benchmarks has shown that the changes in the
> December 2017 updates resulted in no measurable reduction in the performance
> of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web
> browsing benchmarks such as Speedometer, JetStream, and ARES-6.

This is incredibly deceptive, because web workloads are precisely the sort not
expected to be impacted by Meltdown most. As I've written elsewhere, it's
syscall heavy workloads targeting fast devices, like database software on PCIe
SSDs, that will suffer the greatest slowdowns.

~~~
empthought
This spells certain doom for Apple’s vaunted supremacy in supplying high-
performance hardware for database usage.

~~~
jonny_eh
Why? Is their competition not affected?

~~~
mythz
the /s at the end is silent

~~~
jonny_eh
Ha, I thought I was on /r/apple

------
nnx
Interesting that this seems to say that A-series processors are vulnerable to
Meltdown (or a variant of it).

Could this “check later” speculative approach similar to Intel’s explain
Apple’s great performance advantage over other ARM CPUs?

~~~
duskwuff
> Could this “check later” speculative approach similar to Intel’s explain
> Apple’s great performance advantage over other ARM CPUs?

No. Speculative execution is not unique to Apple's SoC designs; it's present
in other ARM cores as well.

[https://developer.arm.com/support/security-
update](https://developer.arm.com/support/security-update)

------
tischler
> Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS
> 11.2 to help defend against Meltdown.

What about macOS 10.12 and earlier versions?

~~~
dylz
My work machine is 10.12 and patched today.

Sierra and El Capitan is covered too.

[https://support.apple.com/en-us/HT208331](https://support.apple.com/en-
us/HT208331) \- see Kernel entries.

~~~
tischler
10.12 is Sierra. I cannot see any security update in the updates tab of the
App Store app, nor in the list of updates that were installed in the last 30
days.

~~~
om2
This update shipped to 10.12 on Dec 6 as 10.12.7.

~~~
tischler
I'm on 10.12.6 on a Mid 2011 MacBook Air 13": "No Updates Available"

Edit: I see, there is a confusing typo in om2's comment (it should be 10.12.6
not 10.12.7). I am wondering why this update does not show up in my list of
installed updates. What a mess.

~~~
thelibrarian
It was released as Security Update 2017-002 and 2017-005 for Sierra 10.12.6
and El Capitan 10.11.6 respectively, not as point version updates.

------
jluxenberg
Apple patched Meltdown (not Spectre) for Sierra in "Security Update 2017-002"
on Dec. 6th 2017. They are not doing a point release; the latest version of
Sierra is 10.12.6

If you want to check that you have installed this update, you can use the
following command:

    
    
      $ system_profiler | grep 'Security Update 2017-002'

------
Analemma_
> Since exploiting many of these issues requires a malicious app to be loaded
> on your Mac or iOS device, we recommend downloading software only from
> trusted sources such as the App Store

Haven’t there been JavaScript POCs for Meltdown? That’s already patched and
AFAIK there’s nothing for Spectre yet, but this is still a little
disingenuous.

~~~
acdha
Aren’t the browser patches already shipping? The JS risk should be
significantly lower with days.

------
klondike_
I wonder what's going to happen to old Android devices that are no longer
receiving security updates

~~~
pjmlp
Nothing.

Until Google takes the stand and actually forces OEMs to update, nothing will
ever change.

Not for existing devices, nor for Treble certified ones.

Updates are only for rich people able to pay 500€+ for flagship devices every
three years.

~~~
Mindwipe
Treble is counterproductive to this sort of problem anyway. But abstracting
the OS to a layer sat above a quasi-HAL as it does, users will get OS updates
with features but without updates to the underlying hardware interface blobs.
The incentive for OEMs to update drivers for security goes down radically, not
up, because the users crying out for OS feature x get it without having to
update anything below the abstraction layer.

Ultimately the problem with Android driver security is that Qualcomm has no
interest in it, and won't until some form of legislation from a large
territory such as the US, EU or China forces their hand on it.

~~~
pjmlp
No they won't, because Google keeps saying that even with Treble, OEMs are the
ones responsible to push any kind of update not Google.

So unless Google changes their mind, users will get the same amount of updates
as they are getting now on non-Treble devices.

------
kilon
Damn it’s 2000 all over again. Cybermagedon is the most annoying thing. It
always appears when I am in low supply of pop corn.

------
bitL
Hmm, so Apple confirms that meltdown happens on ARM as well, interesting.
Likely their Axx chips are way faster than competition, allowing the timing
window in which to execute the attack, as Google suggested.

~~~
jlouis
The speed isn't the issue. It is all about speculation and prediction

------
HugoDaniel
Does Geekbench test for TLB flushes at syscalls or whatever other kind of
"mitigation" they introduced in 10.13.2 ? Where can we see true benchmarks of
performance comparison between previous and current version in regards to this
bug ? Isn't Apple being really nasty by exploiting the lack of knowledge of
the general public ?

I am no expert in any way but would like to know how did they "mitigated" this
without a serious performance hit.

~~~
Strom
You should try defining this mystical _true benchmark_ that you seek.

Apple decided that heavy userspace execution and web performance are
representative of common workloads. You are welcome to argue for a different
kind of workload. As it stands now, at best you're implying that it's common
for users to execute syscalls in a loop.

~~~
HugoDaniel
Can you tell with any degree of precision what kind of benchmark the
"GeekBench" is and does ? What guarantees do you have that it is testing "real
world common workloads" ?

Do you think common users execute guassian blurs in a loop and ray tracers
before perfoming rigid body physics in their "common workloads" ? As you said,
I know I am welcome to argue for a different kind of workload, specially when
I am being taken for a fool.

~~~
Strom
I'm not too familiar with GeekBench, but I'm assuming it's userspace code.
Whether it traces rays or does something else isn't that important, because
the slowdown is with syscalls.

As for what common users execute, based on my observations over the years it's
mostly web browsing. However my personal vision of common workloads is a
distraction. I have made no claims to know common workloads. I merely stated
that Apple has chosen a particular set to be representative.

------
imagetic
What about macOS 10.12? I haven't seen enough stability across applications
with High Sierra to make the upgrade for work machines. I guess we'll have to
just wait it out to see what they actually release.

~~~
om2
It's gotten the same patches as 10.13. The original security advisory did not
mention it, but it's been revised now: [https://support.apple.com/en-
us/HT208331](https://support.apple.com/en-us/HT208331)

    
    
      Kernel
      Available for: macOS High Sierra 10.13.1, macOS Sierra  10.12.6, OS X El Capitan 10.11.6
      Impact: An application may be able to read kernel memory
      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
      CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

------
torgard
> Intel said its chips, which power Macs and devices from other manufacturers,
> contain the flaw as well as processors based on ARM Holdings architecture,
> which is used in iOS devices and Android smartphones.

Has it been proven that Meltdown can affect ARM processors, or is this Intel
speculation?

~~~
Kikawala
Meltdown affects Intel chips, Spectre affects Intel, AMD, and ARM chips.

~~~
Xorlev
Spectre likely affects any chip with speculative execution, regardless of
vendor, even things like Power8. So that's fun.

~~~
ksec
"We have people everywhere" \- Mr White.

Did Google name it Spectre after the the James Bond movie?

And I thought AMD put out a release saying they are not affected.

~~~
Mindwipe
I imagine it was named Spectre because it's going to be haunting us for years
to come.

------
blinkingled
So nothing required on hardware side? I was under the impression that OEMs
need to send out BIOS/UEFI Firmware updates or at least CPU Microcode updates
but doesn't look like Apple is planning to do so.

~~~
nly
Microcode updates will come down the pipe to users as OS updates as Intel uses
these channels.

~~~
blinkingled
Yeah I think if a UEFI update comes down it might bring the mitigated uCode
with it. Just got to boot into USB macOS installation - don't think Boot Camp
users get those updates.

------
MBCook
They say the watches aren’t effected.

Is it possible that they don’t do speculative execution?

~~~
jmull
I think it's only Meltdown that the watch isn't affected by.

It sounds like it is potentially affected by Spectre, especially since they
say they will be continuing to develop mitigations for WatchOS.

The surprising thing to me is that they patched iOS to mitigate Meltdown.
Before now, I thought it was only Intel chips that were affected by Meltdown,
but I guess Apple's own A-series processors are affected too.

~~~
pkaye
Yes some ARM Cortex A-series are affected by a variant of Meltdown.
[https://developer.arm.com/support/security-
update](https://developer.arm.com/support/security-update)

------
Jyaif
I wonder if Apple can retro-actively add the retpoline trick to the apps
submitted in bitcode. If so, then I expect Apple to make bitcode mandatory.

------
walterbell
What about iOS10 users who need to run 32-bit apps?

~~~
scarface74
How long has Apple warned users that 32 bit software wasn't going to be
supported?

For context, the only phones that are not being supported by the latest patch
are iPhones introduced before 2013.

~~~
walterbell
If the app vendor has gone out of business and there is substantial data in
the 32-bit app, there may be no upgrade alternative.

~~~
scarface74
And can you name a few real world examples?

~~~
walterbell
Several are named here:
[https://tidbits.com/article/17342](https://tidbits.com/article/17342)

~~~
scarface74
I haven't dug into the list too carefully but would you really use a
productivity app from a small company that doesn't have anyway to export the
data?

Even my third party podcast client supports exporting to OPML.

------
liamzebedee
Are secrets within the secure enclave vulnerable? e.g. Bitcoin wallet keys

------
lowbloodsugar
So, older versions not fixed? Who is most likely to be running older version?
Corporations? Ah, they probably don't care.

~~~
coldcode
Sierra and El Capitan are covered too.

~~~
lowbloodsugar
Do you have a source for that because:

a) The article above doesn't mention it (specifically says 10.13), and

b) There are no updates available for my mac.

------
chx
> but there are no known exploits impacting customers at this time

known by whom? Apple? Then say "we do not know of any exploits". Is the answer
different for the NSA? Who the f knows?

