Patrick Walsh
Originally published at blog.ironcorelabs.com.

To Update or To Wait: Apple's Spectre and Meltdown Patches

On January 23rd, Apple released another big security patch across all its operating systems and devices. The iOS, Watch, and Desktop release notes cover many of the same issues, but we’ll simplify by focusing on the updates to their current desktop OS, High Sierra.

The big vulnerabilities being fixed are:

  • Audio Files: a malicious person can send a corrupted audio file via email, text, etc., and if the file is played, arbitrary code can be executed.
  • IOHIDFamily: this is a local privilege escalation issue that’s mainly notable because it’s been around for a long time and because the researcher released their exploit code ahead of Apple issuing a fix.
  • Messages: a malicious link sent via a text message can crash a computer (or phone or whatever).
  • Web: “malicious content” can lead to arbitrary code execution. There are two of these and not many details. One of the issues is in QuartzCore, which is a graphics rendering component. That exploit may use a flaw in animation handling or canvas drawing. The other is a memory corruption issue. Both of these seem dangerous since any given malicious ad or website can execute arbitrary code.
  • Kernel: There are six separate kernel fixes, and the issues range from allowing someone to read restricted memory to the execution of arbitrary code with kernel privileges. They explicitly mention Meltdown but don’t expressly mention Spectre. That said, the descriptions and the researcher citations suggest that this also fixes Spectre at least in part.

So clearly this is an important update that fixes critical issues, a couple of which have public exploit code.

But there’s reason to be cautious about installing this update. This morning, Intel issued a statement that reads in part:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.

Meanwhile, Lenovo, Dell, RedHat, and VMWare have paused or retracted updates. Linux creator Linus Torvalds said this:

The patches are COMPLETE AND UTTER GARBAGE. … They do things that do not make sense.

Reportedly, the Intel microcode fixes make systems unstable causing blue screens of death on Windows and, according to Red Hat, prevent some systems from booting.

Given that information and the lack of insights from Apple (does their security update include Intel’s Spectre fixes?), Apple users are left to assume the worst: this patch includes Intel’s flawed fixes and could lead to an unstable and slow system.

With only one day since the release of Apple’s security fixes, there’s very little data from users. The forums don’t seem to have anyone screaming about new problems since the update, which is a good sign.

So what should an Apple user do?

It’s a “security vs. reliability and performance” question, except we don’t know if Apple’s fixes are flawed in the same ways as other manufacturers’. So it’s the certainty of security fixes vs. potential stability issues.

If Apple had separated the Spectre and Meltdown fixes from the other security issues, the conclusion would be different. Spectre and Meltdown don’t allow remote exploitation — they just give an attacker with a foothold far greater access. That’s no small thing, but the risk is reasonable for most users. But Apple delivers security updates in big lump batches. Consequently, fixes for remotely exploitable web and text message flaws are lumped into the update.

For my part, I believe the benefits outweigh the risks. Users should absolutely install this security update. If the instability were high and widespread, we’d probably have some early indications of it already.

About Patrick Walsh
I write and curate articles on cyber-security, privacy, encryption, law and the intersection of all of the above. I’m also the CEO of IronCore Labs, where we are changing how software is built to bring customers control of their data. To see more of this kind of content, follow our publication, The Salty Hash, on Medium. To learn more about IronCore Labs or get in touch, visit _https://_ironcorelabs.com.

Original photo by Kelly Sikkema