Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Apple Releases New Security Updates to Protect Safari against the Spectre Attack

Apple Releases New Security Updates to Protect Safari against the Spectre Attack

Leia em Português

This item in japanese

When the news broke last week of two side-channel attacks - Spectre and Meltdown - Apple stated that it had already released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and that fixes for Spectre would follow. Today the firm has released a trio of security updates aimed at protecting Safari and WebKit against the Spectre attack. The three updates make changes to iOS, macOS and the Safari browser itself.

As Chris Swan noted in his report for InfoQ over the weekend, browsers are a particular target for the Spectre vulnerability since they can potentially be exploited via JavaScript running in the browser. Similar patches have already been released for Chrome and Firefox.

As is typical, Apple provides few details beyond making it clear which vulnerabilities are targeted, but the firm does thank the researchers responsible for finding the bugs, including Jann Horn of Google Project Zero, in the release notes.  Writing on the official WebKit blog however, Filip Pizlo provides more details on the various issues and makes it clear that there are still more fixes to come.

WebKit’s response to Spectre is a two-tiered defence:
1 WebKit has disabled SharedArrayBuffer and reduced timer precision.
2 WebKit is transitioning to using branchless security checking in addition to branch-based security checking.

Some of these changes shipped in the Jan 8 updates and more such changes are continuing to land in WebKit.

 In a statement released on Thursday, Apple said that:

There are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. 

The company also stated that the Apple Watch is not affected by the Meltdown and Spectre vulnerabilities.

The relevant updates - iOS 11.2.2 and macOS High Sierra 10.13.2 - are both now available for free on compatible devices. iOS 11.2.2 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. To install it go to Settings > General > Software Update. High Sierra users should go to the Mac App Store. A Safari 11.0.2 update, which also addresses Spectre risks, is available for Macs running OS X El Capitan 10.11.6 and macOS Sierra 10.12.

Microsoft has also issued an update for Windows users - KB4056892 - although some users are reporting problems after installing it on AMD-powered PCs.  Microsoft has now acknowledged the issue blaming AMD’s documentation for the problem:

Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates. After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.

 Microsoft’s support site has fixes to get machines back into a bootable state.

Rate this Article