In the fight against the two well-known vulnerabilities Meltdown and Spectre, Apple has made a new move by releasing two more security updates (together with the 10.13.3.version of macOS High Sierra). The remedies are designed to address the vulnerabilities on those computers that remain on macOS Sierra and OS X El Capitan. The updates (officially Security Update 2018-001) provide a series of mitigations for both problems. The users of macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 are suggested to immediately install the new package as a security requirement.
Apple included a great deal of mitigations in macOS High Sierra 10.13.2, but computers with older OSs could not use them, so those machines remained without proper protection. In this context, the recent package fills the gap. The main packages so far include iOS 11.2 and macOS 10.13.2 (against Meltdown) and in Safari updates in iOS 11.2.2 and Supplemental Update within macOS 10.13.2 (against Spectre). More remedies may be included in future High Sierra versions.
Spectre and Meltdown are hardware vulnerabilities that can attack most processors. The problem is really global, as Apple confirms that all its Mac and iOS devices are impacted.
Both Spectre and Meltdown make their impact via CPU speculative execution mechanism. Spectre affects microprocessors at the stage of branch prediction. Usually, a speculative execution as a result of a branch misprediction opens for observation certain side effects that an attacker may use to reveal private information. Meltdown takes advantage of the race condition, which is inherent in most modern CPUs. The vulnerability takes place between memory access and privilege checking in the course of instruction processing. Meltdown allows an unwelcome process to read information from addresses, which are mapped to the memory space of the current process.
The vulnerabilities are common for both Apple and PC machines. Sometimes anti-vulnerability software behaves differently on Apple and PC computers. Thus, lots of serious security issues have been reported in Intel propelled PCs as a result of the installation of security patches, while Apple computers apparently have not experienced such problems.
So far, not all the counter-attacks have been successful. Thus, the Spectre Safari mitigations did not produce even a measurable impact in terms of Speedometer and ARES-6 tests and only a minor impact as measured by JetStream benchmark (2.5%).