Intel Security Flaw - Meltdown and Specter

cnoboa
New Contributor II

Hello,

I have been searching the web to see if anyone has any information on new macOS security updates regarding this security risk. I have seen that this issue may have been resolved in 10.13.2 and 10.13.3, but no word on those Macs still on El Capitan or Sierra. Has anyone else come across anything?

17 REPLIES 17

donmontalvo
Esteemed Contributor II

Note to self, push out 10.13.2 to many thousands of Macs.

#done

Just kidding...N-0 is a red herring.

Nothing from Apple yet, alerted our rep.

--
https://donmontalvo.com

jpadilla
New Contributor

I called our Enterprise Support and they could not confirm a fix.

msiedenburg
New Contributor II

Edit: Never mind, was mistaken

keaton
Contributor

"macOS has been patched to counter the chip design blunder since version 10.13.2, according to operating system kernel expert Alex Ionescu." - Source

Also: https://twitter.com/aionescu/status/948609809540046849

Update: Official statement from Apple

Randydid
Contributor II

I have reached out to my Apple Education reps. Awaiting a response.

/randy

donmontalvo
Esteemed Contributor II

@keaton thanks for the link, refreshing to know Apple is all over this...meltdown already addressed (10.13.2 and those two security patches), and that we should see patches in the coming days for 10.12/10.11.

About speculative execution vulnerabilities in ARM-based and Intel CPU

--
https://donmontalvo.com

PF-Admin
New Contributor II

"Meltdown is a name given to an exploitation technique known as CVE-2017-5754"

"This document describes the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan."

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
Entry added January 4, 2018

tranatisoc
New Contributor II

any word from apple if these weaknesses also affect 10.10.x, 10.11.x, or 10.12.x.

thanks for confirmation

FritzsCorner
Contributor III

Has anyone done any performance benchmark comparisons on a Mac before and after vulnerability security updates? My understanding is that any performance hit would be when the CPU is running in the kernel-space and not so much in the user-space. Am I understanding this correctly? We want to have a good understanding of any perceived performance degradation the patches may or may not cause so it can be communicated to our high end developers and power users.

exno
Contributor

I imagine those here may be aware of it now, but Apple has updated the CVE-2017-5754 Mitigation notes to remove 10.12 and 10.11 as available for patch.

Kernel Available for: macOS High Sierra 10.13.1 Impact: An application may be able to read kernel memory Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology Entry updated January 5, 2018

also another discussion was created in regards to AWS/Jamfcloud https://www.jamf.com/jamf-nation/discussions/26646/cpu-hardware-vulnerable-to-side-channel-attacks-meltdown-and-spectre

If you use Jamfcloud it could be another useful discussion to keep an eye on.

Jamf Admin Fun Time!

donmontalvo
Esteemed Contributor II

@exno if this turns out to be the case, where 10.11/10.12 won't get patched, we may get to finally be at N minus ZERO. 🙂

Even more exciting...the idea that perhaps in a dark room at the Mother Ship, Apple's elves are developing a display monitor adapter for Apple watch... #tongueInCheek

https://support.apple.com/en-us/HT208394

969762b7e240416d8590c2ac7c831ea0

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor II

@FritzsCorner the updated article mentions performance impact of the patches.

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.
--
https://donmontalvo.com

exno
Contributor

@donmontalvo n-0 sounds like chaos. And I do enjoy me some chaos.

I’d rather the elves work on a Mac pro everyone will enjoy. But since that’s in itself is a big task. The Apple Watch monitor would be nice too.

Jamf Admin Fun Time!

Nix4Life
Valued Contributor

Hi Guys, If anyone is running RHEL/CentOS in their environment , the patch is out. We are currently in testing, but have not observed any CPU spikes so far.
L

roiegat
Contributor II

Anyone else still waiting for a Sierra fix? seems Apple is dropping the ball big on this.

donmontalvo
Esteemed Contributor II

Open a ticket with Apple, let them know how many Macs you're managing, and ask for an ETA for 10.11/10.12 fix for Meltdown.

A couple of my colleagues in large enterprise got response to the effect, they're working on 10.11/10.12 patches for Meltdown, but are not able to provide an ETA.

--
https://donmontalvo.com

PatrickD
Contributor II

FYI

Sec Update for 2018-001 released for El Capitan and Sierra to patch Meltdown released on Jan 23. https://support.apple.com/en-au/HT208465

Crucial to test before mass deployment as unsupported Kernel Extensions will cause kernel panics on reboot. See this thread.

https://www.jamf.com/jamf-nation/discussions/26832/2018-001-safari-update-causing-crashes-on-10-12-6