Apple Releases Spectre Patches for Safari, macOS and iOS

Apple released iOS 11.2.2 software Monday for iPhones, iPads and iPod touch models that patch for the Spectre vulnerabilities. A macOS High Sierra 10.13.2 supplemental update was also released to bolster Spectre defenses in Apple’s Safari browser and WebKit, the web browser engine used by Safari, Mail, and App Store.

This is the second update for Apple since last week’s revelation of the massive processor vulnerabilities, Meltdown and Spectre, impacting CPU’s worldwide. Apple previously released mitigations against Meltdown with updates that included iOS 11.2, macOS and tvOS 11.2.

Monday’s three updates include macOS High Sierra 10.13.2 supplemental, Safari 11.0.2, and iOS 11.2.2. The updates “includes security improvements” to mitigate the two known methods for exploiting Spectre identified as variants “bounds check bypass” (CVE-2017-5753/Spectre/variant 1) and “branch target injection” (CVE-2017-5715/Spectre/variant 2).

Apple said the Safari 11.0.2 update is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6. The macOS High Sierra 10.13.2 supplemental update includes security updates for Safari and WebKit. iOS 11.2.2 is for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

According to experts, the Spectre vulnerability, variant is much more difficult attack to carry out than Meltdown because it breaks the isolation between different applications. But, at the same time, it will also be harder to patch.

There is also a greater sense of urgency with Spectre. A Meltdown attack scenario requires an attacker to already have a foothold on the targeted system. Spectre opens up certain types of remote attack scenarios such as browser-based attacks, according to researchers.

Last week Mozilla, along with Microsoft and Google, updated the code in their browsers to increase them time it takes to execute certain Java commands that could exploit the Spectre flaws, making it exponentially harder – but not impossible – to exploit.

“A JavaScript attack being able to pull memory contents of the browser and could result in pulling credentials and session keys, which bypasses a lot of a lot of security protections,” said Jimmy Graham, director of product management at Qualys in a previous interview with Threatpost.

Apple is not releasing any additional technical details of the patches, including what – if any – penalty patches may have on device performance.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!