For Apple users worried about the Spectre and Meltdown CPU security vulnerabilities – what we’ve been collectively referring to as F**CKWIT – it’s been a busy and slightly confusing few weeks.
First, on January 8, macOS High Sierra 10.13.2 users were offered a supplemental update (including for Safari and WebKit) meant to mitigate Spectre (CVE-2017-5753 and CVE-2017-5715).
Two weeks on and we have the 2018-001 update, a scheduled collection of security fixes including one that addresses Meltdown (CVE-2017-5754) for users running the older macOS Sierra 10.12.6 or OS X El Capitan 10.11.6.
Separately, iOS got the same treatment, in December (for Meltdown), when nobody knew about it, and then again in mid-January (for Spectre), when they did.
(If you need a reminder of why Meltdown and Spectre are a big deal, read Naked Security’s explainer.)
The latest updates coincide with Intel issuing a rather confusing advisory, warning system makers to stop shipping a version of its Meltdown and Spectre patches after reports that they caused some systems to reboot unnecessarily.
Apparently, Apple’s updates don’t include the Intel code that might be causing this, because the warning was aimed at high-end systems used mainly by cloud service providers.
Into the kernel
Elsewhere in 2018-001 – implemented on macOS High Sierra as 10.13.3 – there is a sprinkling of kernel-level security fixes worthy of attention.
These include the memory validation flaw (CVE-2018-4093), and memory initialization issue (CVE-2018-4090) in High Sierra, reported by Google Project Zero researcher Jann Horn, who helped uncover Spectre and Meltdown.
Next come two flaws that might allow malware to access restricted memory (CVE-2018-4092 affecting all desktop versions and CVE-2018-4097 affecting macOS High Sierra 10.13.2, macOS Sierra 10.12.6.).
Closing out the kernel-level theme is a memory corruption vulnerability that could allow a malicious program to run code with kernel privileges (CVE-2018-4082).
There are several more intriguing flaws, including the one affecting remote code execution (RCE) on Sierra and High Sierra, discovered by a team from South Korea’s Yonsei University (CVE-2018-4094) who spotted that “a maliciously crafted audio file may lead to arbitrary code execution.”
Plus three WebKit flaws in High Sierra (CVE-2018-4088, CVE-2018-4096, and CVE-2018-4089, the latter one of two in this month’s list discovered by Google’s OSS-Fuzzing system), and one in Wi-Fi (CVE-2018-4084, affecting all desktop versions).
Mobile users, meanwhile, get iOS 11.2.5, which fixes 13 CVEs, while for the Safari browser, which reaches 11.0.3, it’s three.
A notable iOS fix is for the recently-reported “ChaiOS” LinkPresentation flaw (CVE-2018-4100) that could allow a malicious text message to crash the device (affecting wrapping text on pages, this is also patched on desktop versions).
There’s even something for Windows users in the shape of security fixes for iTunes (Windows 7 onwards) and iCloud for Windows 7.3.