[Update 01/08: Apple releases new security update to protect Safari against the Spectre attack]
In case you have missed recent media reports, a security vulnerability in Intel and other tech companies’ CPUs has been discovered that affects nearly every major platform.
Named Meltdown and Spectre, the security vulnerabilities allow programs to steal data, which is currently processed on the computer. As MacRumors has reported, the companies involved have began to make statements about the issue.
For those concerned about how the vulnerability might affect them, spectreattack.com has put together a Q&A with extensive information about the bug including which systems are affected and what can be done, as well as more technical information about Meltdown and Spectre.
Below is a summary of each bug via spectreattack.com:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Further Reading:
Unfortunately, Apple has rescinded its earlier inclusion of Sierra and El Capitan in the Meltdown fix update. It now appears clear that those of us on Sierra and El Capitan have not had our systems patched yet. https://support.apple.com/en-gb/HT208331
Holy Moly, R! Thanks for posting this. I would not have thought to re-check that page and would have mistakenly believed that all was well with the world. This is terrible news, as I am on a mission-critical system and am not certain that an upgrade to High Sierra is safe for all the software that I use.
From https://discussions.apple.com/thread/8225527:
“The Apple Security pages say that the security updates late last year included Meltdown fixes for Sierra and El Capitan as well as High Sierra. https://support.apple.com/en-au/HT208331“
No they do not. Read it more carefully: Meltdown is mentioned only in respect to the 10.13.1 update. A number of other security fixes are mentioned, but this is the only one that mentions Meltdown.
Who is filing the class action suit and when?
So, I am running a MacPro4,1 and am wondering how I protect myself since I am unable to update to Sierra or High Sierra?
Flash your 4.1 then upgrade to sierra
Your Mac Pro Early 2009 supports running OS X 10.11.6. El Capitan received the patch for this vulnerability in early Dec 2017. Make sure that your OS the most current and that all security updates have been applied.
Apple reported that it patched High Sierra with the 10.13.2 update. But what about macOS 10.12 and 10.11? I’ve seen no mention of patches for them.
The issue was patched in 2017-005 El Capitan and 2017-002 Sierra updates on Dec 6, 2017.
Patch impact on Mac performamce?
I have not noticed any impact on performance on my Mid 2010 MBP running macOS 10.12.6.