Apple users haven’t been spared in the great computer chip debacle.
The U.S. tech giant has confirmed that all its iPhones, iPads and Mac computers are affected by two recently disclosed processor flaws called Spectre and Meltdown.
In fact, researchers say almost every computing system – desktops, laptops, smartphones, and cloud servers – is affected by the Spectre bug. Meltdown appears to be specific to chips made by Intel.
Other major companies rolling out fixes include Microsoft, Amazon and Google.
Here’s the issue: Modern processors are designed to perform something called “speculative execution” to enhance performance. Data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.
What do you do?
There are limits to what consumers can do now to protect their computers.
Advice from the U.S Computer Emergency Readiness Team’s was grim. The federal organization says that “fully removing the vulnerability” requires replacing the hardware already embedded in millions of computing devices.
That’s not to say nothing can be done.
Consumers can mitigate the underlying vulnerability by making sure they patch up their operating systems with the latest software upgrades. There are already Meltdown patches for Microsoft’s Windows, Apple’s macOS and Linux. Mozilla says it’s also implementing a short-term mitigation that disables some capabilities of its Firefox browser. Google says Android devices are protected if they have the latest security updates.
“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” security researcher Rob Graham said in a blog post Thursday. “If you aren’t up to date, then there’s a lot of other nasties out there you should probably also be worrying about.”
Apple fixes
So what should Apple users do?
For starters, make sure your iPhone, iPads, computers and all apps you use are kept up to date to help protect against hackers exploiting the flaws.
In an announcement Thursday, Apple said it has released patches to defend against Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Apple will release patches in its Safari browser to help defend against Spectre “in the coming days,” the company added.
But it’s still working on other fixes that users should look out for.
“We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” Apple said.
Pointing out that the risks are likely to come from “a malicious app,” Apple also advised users to download software “only from trusted sources such as the App Store.”
Like other big tech companies that are scrambling to deal with the problem, Apple sought also to reassure users.
“There are no known exploits impacting customers at this time,” it said.
The Apple Watch isn’t impacted by the Meltdown flaw.
Other products hit
Fixing the problems will slow a computer’s performance, experts say, especially on devices more than five years old.
Intel said that “for the average user,” the performance impact on products using the processors from the last five years “should not be significant and will be mitigated over time.”
The bigger challenge appears to be for companies that deal with a lot of network traffic and considerable processing power — things like cloud computing providers, retailers that process consumer transactions and medical systems that crunch data.
Some experts say that to completely get rid of the risks created by the flaws, the affected processors need to be replaced entirely. But that’s not realistically going to happen anytime soon.
There aren’t any processors available at the moment that can replace the vulnerable ones and still provide the same kind of functionality.
Experts say that it will take years to bring to market new chips that can perform the same tasks both safely and effectively.
By maker: A breakdown
- Intel Inside
Intel is at the center of the problem because it supplies the processors used in many of the world’s PCs. Researchers say one of the bugs, called Meltdown, affects nearly every processor it’s made since the mid-1990s.
While security flaws are typically limited to a specific company or product, Intel says the problem is “not a bug or a flaw in Intel products” but rather a broader problem affecting processing techniques common to modern computing platforms.
Both the chipmaker and Google, which informed Intel about the vulnerability in June, said they were planning to disclose the issue next week when fixes will be available. Tech companies typically withhold details about security problems until fixes are available so that hackers wouldn’t have a roadmap to exploit the flaws. But in this case, Intel was forced to disclose the problem Wednesday after British technology site The Register reported it, causing Intel’s stock to fall.
Most of the immediate fixes will be limited to the Meltdown bug. The other, Spectre, is harder to fix, but also harder to exploit, making it less of an immediate threat to consumer devices.
- Other chipmakers
While researchers say the Meltdown bug is limited to Intel processors, they have verified Spectre as a problem for Intel, Advanced Micro Devices and ARM processors. AMD chips are also common in PCs, while ARM chips are found in many smartphones and other internet-connected products, including cars and home appliances.
AMD said there is “near zero risk” to its own processors, either because its chips are designed differently, or security fixes for Microsoft Windows and other operating systems will take care of the problem. ARM Holdings said it’s working with Intel, AMD and operating system vendors to address the problem. The ARM design is also used in Apple’s mobile chips. Apple said late Thursday that all of its devices are affected, but it’s already made fixes to help defend against Meltdown in laptops and phones and soon plans to release mitigations in the Safari browser to help defend against Spectre.
- Securing the cloud
The bugs also affect cloud-computing services powering much of the internet. These services, offered by Amazon, Microsoft, Google, IBM and others, give smaller companies access to data centers, web hosting and other services they need to run their businesses. But these cloud services also use computers with the same types of problem chips.
Unauthorized access will be difficult to detect so cloud-computing providers need to act quickly to protect against these vulnerabilities, said Ryan Kalember, senior vice president of cybersecurity at Proofpoint. The good news, he said, is that major cloud providers have known about this for months and have had time to tackle the problem.
