
About the security content of updates for High Sierra, Sierra, El Capitan - cylo
https://support.apple.com/en-us/HT208331?updated
======
0x0
So I guess the interesting thing here is that if you visit
[http://webcache.googleusercontent.com/search?q=cache%3Ahttps...](http://webcache.googleusercontent.com/search?q=cache%3Ahttps%3A%2F%2Fsupport.apple.com%2Fen-
us%2FHT208331) you'll see that yesterday's version of this document claimed
that the fix for CVE-2017-5754 was "Available for: macOS High Sierra 10.13.1,
macOS Sierra 10.12.6, OS X El Capitan 10.11.6" (search for "2018" to find
"Entry added January 4, 2018").

Now it just says "Available for: macOS High Sierra 10.13.1". (search for
"2018" to find "Entry updated January 5, 2018")

~~~
lunixbochs
Yesterday's version was wrong:
[https://twitter.com/lunixbochs/status/949121236428181508](https://twitter.com/lunixbochs/status/949121236428181508)

This is the diff:
[https://twitter.com/lunixbochs/status/949374313978875904](https://twitter.com/lunixbochs/status/949374313978875904)

I wouldn't be surprised if they actually do patch soon (someone posted on
Reddit about seeing a Security Update 2018-001 beta in their app store).

------
HugoDaniel
As a comparison:

\- Apple was warned about this half-a-year-ago and cannot give certainty that
their previously current OS is patched (High Sierra only was announced on
June, about the same time they were warned about Meltdown)

\- DragonflyBSD, arguably the underdog of the BSD's was not warned about the
bug, like apparently all the other BSD's, and now have commited the patch to
their current OS version
[http://lists.dragonflybsd.org/pipermail/users/2018-January/3...](http://lists.dragonflybsd.org/pipermail/users/2018-January/313758.html)

Apple needs to step up their game.

------
ape4
These issues are new to us (not just on Apple). But I wonder how long they
have been know to the NSA.

~~~
andr
In the past few days there were a handful of links dated as far back as 2006,
directly explaining the attack vector, or strongly hinting at it. So, the
likelihood that NSA and a bunch of other groups knew is 100%.

Unfortunately, Intel knew, too, and didn't bother fixing it in the next 6
generations of their CPUs since they originally admitted the issue with the
Intel Core 2.

~~~
bunfunton
How can you say the likelihood is near 100%?

I'd bet much smarter people work at Google than the NSA.

~~~
chillacy
I would point out that nearly all those smart people at google are working on
product teams, not security teams, and that enough good security researchers
still go to the NSA.

Also, the NSA still tapped google for up to 6 years, and might have continued
doing so to this day if it weren't for Snowden.

But then again, these weren't in his leaked documents so maybe not.

------
miles
Thanks for this update; Apple has changed the text since yesterday. I pasted
the original text just 18 hours ago:
[https://news.ycombinator.com/item?id=16076658](https://news.ycombinator.com/item?id=16076658)
.

------
nkkollaw
Is Apple screwing up a lot lately, or is it me..?

~~~
willstrafach
Information regarding security fixes are published every time there is an OS
update. This one is actually from December, although the following was added
today:

> Kernel

> Available for: macOS High Sierra 10.13.1

> Impact: An application may be able to read kernel memory

> Description: Systems with microprocessors utilizing speculative execution
> and indirect branch prediction may allow unauthorized disclosure of
> information to an attacker with local user access via a side-channel
> analysis of the data cache.

------
sctb
We've updated the title from “Apple retracts confirmation that Meltdown is
fixed in 10.12 and 10.11”, which is the sort of thing that makes a fine
initial comment but not what the guidelines ask for headlines.

~~~
zeveb
I think that 'About the security content of macOS $SOMEVERSION' is far less
useful as a headline.

~~~
sctb
Whatever the headline is needs to come from the article, and we're more than
happy to update it again if someone can suggest a better one.

~~~
Michielvv
Although I agree more with the original title, as that would be the exact
message I need at this time, I would suggest to then at least also include
Sierra, and El Capitan in the title as the fact that the document was updated
is most relevant for users of those systems. Maybe reflect that something
changed as well. Maybe:

About the security content of macOS High Sierra, Sierra and El Capitan
[updated]

~~~
sctb
Sure thing, we've updated the title to include the other releases, but we'll
let the article speak for itself on what was updated and when.

------
staplers
Can't delete comments, so an actual question will destroy my karma count..
great system HN.

~~~
harryh
Because it's very easy to see how this flaw came about.

Branch prediction and caching is necessary for modern processor performance
and it turns out that these two features can interact in a way that allows
software to employ timing attacks to determine memory state for areas of
memory that should't be readable.

