Intel Security Flaw - Meltdown and Specter

Note to self, push out 10.13.2 to many thousands of Macs.

#done

Just kidding...N-0 is a red herring.

Nothing from Apple yet, alerted our rep.

I called our Enterprise Support and they could not confirm a fix.

Edit: Never mind, was mistaken

"macOS has been patched to counter the chip design blunder since version 10.13.2, according to operating system kernel expert Alex Ionescu." - Source

Also: https://twitter.com/aionescu/status/948609809540046849

Update: Official statement from Apple

I have reached out to my Apple Education reps. Awaiting a response.

/randy

@keaton thanks for the link, refreshing to know Apple is all over this...meltdown already addressed (10.13.2 and those two security patches), and that we should see patches in the coming days for 10.12/10.11.

About speculative execution vulnerabilities in ARM-based and Intel CPU

"Meltdown is a name given to an exploitation technique known as CVE-2017-5754"

"This document describes the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan."

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
Entry added January 4, 2018

any word from apple if these weaknesses also affect 10.10.x, 10.11.x, or 10.12.x.

thanks for confirmation

Has anyone done any performance benchmark comparisons on a Mac before and after vulnerability security updates? My understanding is that any performance hit would be when the CPU is running in the kernel-space and not so much in the user-space. Am I understanding this correctly? We want to have a good understanding of any perceived performance degradation the patches may or may not cause so it can be communicated to our high end developers and power users.

I imagine those here may be aware of it now, but Apple has updated the CVE-2017-5754 Mitigation notes to remove 10.12 and 10.11 as available for patch.

Kernel Available for: macOS High Sierra 10.13.1 Impact: An application may be able to read kernel memory Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology Entry updated January 5, 2018

also another discussion was created in regards to AWS/Jamfcloud https://www.jamf.com/jamf-nation/discussions/26646/cpu-hardware-vulnerable-to-side-channel-attacks-meltdown-and-spectre

If you use Jamfcloud it could be another useful discussion to keep an eye on.

@exno if this turns out to be the case, where 10.11/10.12 won't get patched, we may get to finally be at N minus ZERO. :)

Even more exciting...the idea that perhaps in a dark room at the Mother Ship, Apple's elves are developing a display monitor adapter for Apple watch... #tongueInCheek

https://support.apple.com/en-us/HT208394

@FritzsCorner the updated article mentions performance impact of the patches.

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.

@donmontalvo n-0 sounds like chaos. And I do enjoy me some chaos.

I’d rather the elves work on a Mac pro everyone will enjoy. But since that’s in itself is a big task. The Apple Watch monitor would be nice too.

Hi Guys, If anyone is running RHEL/CentOS in their environment , the patch is out. We are currently in testing, but have not observed any CPU spikes so far.
L

Anyone else still waiting for a Sierra fix? seems Apple is dropping the ball big on this.

Open a ticket with Apple, let them know how many Macs you're managing, and ask for an ETA for 10.11/10.12 fix for Meltdown.

A couple of my colleagues in large enterprise got response to the effect, they're working on 10.11/10.12 patches for Meltdown, but are not able to provide an ETA.

FYI

Sec Update for 2018-001 released for El Capitan and Sierra to patch Meltdown released on Jan 23. https://support.apple.com/en-au/HT208465

Crucial to test before mass deployment as unsupported Kernel Extensions will cause kernel panics on reboot. See this thread.

https://www.jamf.com/jamf-nation/discussions/26832/2018-001-safari-update-causing-crashes-on-10-12-6