contador web Saltar al contenido

Security flaws in processors affect Macs, requiring patches from Apple

Earlier today, technology news released large-scale posts based on a story from The Register, with details of a flaw in the x86 processor design discovered by security researchers a few weeks ago.

The article pointed the finger at the Intel, which planned to publish a formal announcement to the industry as soon as due patches corrective measures to be completed by operating system manufacturers including Apple, which was one of the organizations to deal with the matter in secret together with the Microsoft and the Linux Foundation.

The scope of the problem, however, is much larger than the original: the Google (research participant, through the Project Zero) subsequently revealed that two distinct bugs also cover processors from the OMG and ARM, effectively putting billions of devices at risk. In the list are not only Macs, but also PCs, smartphones and tablets from different platforms.

Processor manufacturers then moved quickly to refute the thesis that these are design flaws and describe their preventive actions as solutions to bugs. In the case of ARM, although it is not a chip producer, it is a company responsible for licensing its reference architectures to others, including Apple, which uses them on the A11 and its previous editions shipped on iPhones and iPads.

Apple's A11 Bionic chipPresentation of the A11, used on the iPhone X, in 2017

What are the bugs?

According to Google, they are based on a code optimization technique called speculative execution. Many systems on different platforms employ methods of this nature, whose function is to try to predict the actions to be taken by a computer before they are required. In this way, the execution interval is shorter and this offers gains for the user's experience, especially in applications that benefit from predictive execution such as file indexers and databases, for example.

What the research concludes is that this technique could be used in several families of processors to read memory contents of operating systems that should be restricted, especially given the work done over the years on Windows, macOS and Linux for this end. In the case of Intel, this leads to the most serious failure, called Meltdown, which allowed hackers to completely overcome the barrier between applications running in the context of the end user and the restricted memory of several operating systems, including macOS.

Due to the nature of this vulnerability, it does not only allow access to files, passwords and memory information from other programs. In virtual systems, it also allows access to the data content in execution memory of the host system, as well as that of other virtual machines running in parallel, as a consequence.

Meanwhile, the AMD and ARM families suffer from a similar vulnerability, called Specter, which offers hackers a means of extracting sensitive information from applications in memory, but with less scope of impact. Even so, the range of affected systems (almost any smartphone and tablet circulating around it) makes it more difficult to mitigate.

Immediate responses

The impact of speculation on the media has made processor manufacturers to anticipate the coordinated announcements that were expected. Intel had to respond in a hurry because the allegations pointed to the delivery of patches with a risk of loss of performance of up to 30% on laptops and workstations.

According to the company, any impact on performance depends on the type of task performed and, for home users, will not be significant and will be resolved over time. It also distributed firmware patches to be implemented on all affected operating systems.

New MacBook Air processor

According to representatives of AMD sought by the Axios, the risk of these vulnerabilities in branded products close to zero. ARM says that all Cortex-A families are affected, but bugs are mitigated via software.

Amazon, Google and Microsoft have published separate notes alleging that they are accelerating the publication of patches for their systems, including their public cloud environments, the most used in the world. A special update for Windows, for example, has already been released today.

What about macOS and iOS / watchOS / tvOS?

Reports show that these bugs have been tested on Macs, so they are clearly affected. However, in macOS High Sierra 10.13.2, Apple partially corrected the flaws reported today, according to the AppleInsider.

Apple Watch, iPhone, MacBook and Apple TV from the front (iProducts family)

Partially means that more bug-related adjustments Meltdown and Specter are yet to come in macOS 10.13.3, which is currently undergoing tests, but with no scheduled release date, the coordinated disclosure of information and corrections was scheduled for next week, so as Apple moved forward when embarking on a partial solution, it is likely that Today's polemics don't interfere with your schedule.

But what about reports of performance loss?

Well, at this point, the #batterygate confusion is nothing new for anyone, so speculation about the same thing happening on Macs will not be long in coming. However, according to Alex Ionescu, who closely monitors Apple's work, Macs with Intel processors manufactured after 2010 employ a feature called PCID Process-Context Identifiers), which Apple would be relying on to fix macOS with no chance of any major performance impact.

J us iGadgets, there are currently no reports of any proof of concept exploiting these bugs. Although Apple licenses reference architectures from ARM in its designs, the final design of the processors is extremely different and incorporates other proprietary technologies, so they may not necessarily be vulnerable.