Apple Patches Vulnerabilities Affecting Personal Data on All iPhone and Mac Devices

iPhone and Mac users received a suite of updates to their devices at the start of the new year, most aimed at shutting down the Spectre and Meltdown exploits that could allow unauthorized access to anything stored or run on their devices. The vulnerabilities that allowed such exploits are not considered a flaw by Intel, who reports they are working as intended in the company’s CPUs, requiring manufacturers and OS providers to address the problems directly. Users should update to the latest Apple security versions for the best protection against Spectre and Meltdown.

What Is Spectre?

Spectre is an exploit that uses the speculative access granted by software between integrated systems to compromise the data stored on devices including the iPhone X and the latest Mac iterations. Speculative access lets computer chips make educated guesses to what paths information will flow through and then discards excess data received.

The core Intel system that lies at the heart of the iPhone X and similar devices features a series of security checks using speculative access to make sure unwanted access is harder to obtain, but Spectre uses the data from these very checks to gain access to other systems and access user data on advanced, modern smartphones and desktop computer systems. The exploit was discovered by Jann Horn at Google Project Zero and Paul Kocher.

How Does Meltdown Affect Devices?

Meltdown goes directly from the OS to every application on a system instead of relying on the “error-proof” checks that Spectre uses. This gives it potential access to any data stored on the device and even allows remote operation of applications and unauthorized execution. Meltdown literally removes the safety checks that exist by appearing to be part of the operating system’s normal functioning, using the newly formed vulnerability to get into whatever systems may be available on the device.

This poses a similar threat to iPhone FaceID failures, giving total control to anyone who uses the exploit, but is more insidious as it allows true OS-level system access. Meltdown was originally discovered and reported by Google’s Project Zero, Cyberus Technology and the Graz University of Technology.

What the Patches Fix

The patches released by Apple address many of the key vulnerabilities the Spectre and Meltdown exploits require. These shut down much of the speculative access that allows the Intel CPU units to run quicker and execute systems faster, but they also dramatically reduce the security risk.

The most recent patches close almost all known vulnerabilities and areas of attack through Meltdown. Some Spectre vulnerabilities remain as of January 9, 2018, and Apple has announced they will continue to release patches to secure all affected systems. The speculative memory access vulnerability is inherent in the Intel CPUs and will take some time to correct, especially with the chip maker apparently unwilling to directly address the issue.

Remaining Vulnerabilities

The most recent patches protect systems much more thoroughly against Meltdown, but there are many remaining concerns regarding Spectre. Because of the continued use of speculative memory access by the Intel hardware, Spectre and potentially other exploits continue to plague users and OS providers.

Intel awarded bounties for the responsible disclosure and reporting of both Meltdown and Spectre. The bounty system remains one of the best techniques for evaluating computer system security, and Apple is working to ensure that future releases of iOS, macOS and tvOS address as many of these vulnerabilities as possible.