Apple Says Meltdown Was Patched in iOS 11.2, macOS 10.13.2, and tvOS 11.2, with No Measurable Impact to Speed

Apple Logo

Apple said in a statement Thursday that the Meltdown security hole was “mitigated” in already-shipped patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2. More importantly for those concerned about a potential hit to speed, Apple said the, “updates resulted in no measurable reduction in the performance of macOS and iOS.”

The company also said a Safari update that would “mitigate” the Spectre security hole is coming.

Meltdown and Spectre are significant security vulnerabilities that affect Macs, Windows PCs, Linux boxes, iPhones, Android devices, and many other devices with processors. Apple said Apple Watch was not vulnerable to Meltdown.

Apple’s statement on Meltdown:

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s Statement on Spectre

Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.

Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

Note that in both cases, Apple referred to its updates as “mitigations,” rather than “patches.” That choice of wording is most likely related to the complexity of the problems involved and the fundamental ways in which they affect how operating systems do their jobs.

7 thoughts on “Apple Says Meltdown Was Patched in iOS 11.2, macOS 10.13.2, and tvOS 11.2, with No Measurable Impact to Speed

  • It seems leaving a stinker of feedback with Apple regarding the vagueness of what they have patched has done the trick.

    https://support.apple.com/en-us/HT208331

    Kind of getting ridiculous with Apple these days. They obviously think with their fat salaries that we are equally rolling in it and will keep feeding mammon by sucking up every new product they release.

    In more recent years Apple has defined itself as a maker of products for the upper-middle classes. This was patently obvious and driven home when Angela Ahrendts took over the retail division and stated that Apple was a luxury brand.

    From 2006 to about 2011 Apple were producing some very good kit at reasonable prices for professionals, where you had the option not to fall into the Apple Tax for build to order additions such as RAM etc. You could go out and purchase those components for less and upgrade the hardware yourself.

    But…That is no longer the case. Everything is sealed and components are soldered in. There is no specific entry sub €3,000 for professionals and Apple seems to be producing finite life products with disposability and obsolescence in mind.

    Will it be the death nell for Apple? I don’t know? But many of us are not such ardent fans anymore.

  • Is there anywhere online that officially state the patches are available or have already been issued in the past as far back as El Capitan? The only OS I see mentioned is 10.13.

    1. +

      @JustCause,

      According to Apple’s release notes, the latest iOS 11.2.1 works on iPhones from 5S and iPads from Air onward. I have a 2013 iPad Air and a 2016 iPhone 7 and upgraded both without issue.

      Regarding Macs, I still a man using an early 2008 IMac. It is running the most recent OS X it can run, El Capitan 10.11.6. A security patch is available for that version of OS X as well. It appears that that is the oldest OS X to have a patch available.

      I applied the patch to my ten year old iMac without incident. So far I’m not seeing performance hits on any of the three devices, either, although I’ll want to run Photoshop on the iMac to be sure.

      So, again, it looks like patches are available for iPhone 5S and newer, iPad Air Android newer, and any Mac capable of running El Capitan 10.11.6, including a ten year old iMac. That’s pretty darn good backwards compatibility in my book!

  • But what about iOS devices that are blocked from 11.xx updates? They’re still in use and presumably just as vulnerable- doesn’t Apple have an obligation to “mitigate” their risk as well? It’s not like users have control over what iOS their device can accept!

  • To me Patch means there is a problem and the software fixes it so the problem no longer exists. Mitigate means there is a problem but the software makes it so the flaw is no longer a danger, but it still exists.
    To fill in a hole is a patch. To build a bridge over it is to mitigate it.

    “Semantics is my life” Arthur Dietrich

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.