Apple has confirmed that its devices are vulnerable to the Meltdown and Spectre attacks disclosed by security researchers yesterday.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” Apple said.
“Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
The company said it has already updated its operating systems to defend against Meltdown. Specifically, mitigations were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown.
“In the coming days we plan to release mitigations in Safari to help defend against Spectre,” said Apple.
“We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”
Meltdown and Spectre
Meltdown and Spectre are vulnerabilities which exploit a feature in modern processors called speculative execution.
“Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU,” Apple explained.
“To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.”
Meltdown mainly affects Intel processors, which are used in Mac computers, and ARM-based processors that use Cortex-A75 cores.
Spectre affects all modern processors and while it is more difficult to exploit, it is also more difficult to defend against.