BT

Apple Releases New Security Updates to Protect Safari against the Spectre Attack

| by Charles Humble Follow 756 Followers on Jan 08, 2018. Estimated reading time: 2 minutes |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

When the news broke last week of two side-channel attacks - Spectre and Meltdown - Apple stated that it had already released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and that fixes for Spectre would follow. Today the firm has released a trio of security updates aimed at protecting Safari and WebKit against the Spectre attack. The three updates make changes to iOS, macOS and the Safari browser itself.

As Chris Swan noted in his report for InfoQ over the weekend, browsers are a particular target for the Spectre vulnerability since they can potentially be exploited via JavaScript running in the browser. Similar patches have already been released for Chrome and Firefox.

As is typical, Apple provides few details beyond making it clear which vulnerabilities are targeted, but the firm does thank the researchers responsible for finding the bugs, including Jann Horn of Google Project Zero, in the release notes.  Writing on the official WebKit blog however, Filip Pizlo provides more details on the various issues and makes it clear that there are still more fixes to come.

WebKit’s response to Spectre is a two-tiered defence:
1 WebKit has disabled SharedArrayBuffer and reduced timer precision.
2 WebKit is transitioning to using branchless security checking in addition to branch-based security checking.

Some of these changes shipped in the Jan 8 updates and more such changes are continuing to land in WebKit.

 In a statement released on Thursday, Apple said that:

There are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. 

The company also stated that the Apple Watch is not affected by the Meltdown and Spectre vulnerabilities.

The relevant updates - iOS 11.2.2 and macOS High Sierra 10.13.2 - are both now available for free on compatible devices. iOS 11.2.2 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. To install it go to Settings > General > Software Update. High Sierra users should go to the Mac App Store. A Safari 11.0.2 update, which also addresses Spectre risks, is available for Macs running OS X El Capitan 10.11.6 and macOS Sierra 10.12.

Microsoft has also issued an update for Windows users - KB4056892 - although some users are reporting problems after installing it on AMD-powered PCs.  Microsoft has now acknowledged the issue blaming AMD’s documentation for the problem:

Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates. After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.

 Microsoft’s support site has fixes to get machines back into a bootable state.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT