The emergence of the latest device vulnerability came from a source many thought to be unlikely or impossible: the processor hardware. The cause of which boils down to the branch prediction algorithms – how processors gain performance/efficiency by effectively guessing what cached data is needed next – can be exploited to reveal the data that is about to be processed. That data could be passwords, personal information, payment methods, or something innocuous. With the right piece of malware then all your base are belong to us… This exploit affects processor design spanning a decade, including computers and smartphones, but the situation isn’t quite so dire.
With the severity of the issue, the industry has seen information sharing and cooperation to uncover a solution that has encompassed many of the biggest technology companies combining resources in a giant think tank. As a result, patches were appearing within hours to combat the problem and many users will be patched with an update before this piece is published.
Apple has made a public statement about this issue, confirming that both macOS and iOS devices are affected. However, iOS devices are only susceptible if they’re jailbroken due to the need for software to be signed to run on iOS. The full patch to prevent this case is already in beta (iOS 11.2.5) allowing us breathe a bit easier. The Mac side of things is a bit more complicated and worrying.
macOS High Sierra has a partial patch for this issue as of 10.13.2, with full remediation in 10.13.3 (already in beta). This is where things take a turn for the worse. Apple has been mum about creating patches for prior versions of macOS. Their typical security strategy resolves issues for N-2 versions, or the current OS and the previous two versions (in this case, 10.11 El Capitan and 10.12 Sierra); however, there has been no comment from Apple about the plan to fix the older releases. So why not upgrade to High Sierra? It’s been a bag of hurt.
With the fourteenth release of macOS, Apple heralded a further set of revisions to the Sierra codebase, rather than a reinvention/revolution upgrade. This has brought new features and integrations with iCloud, as well as a new filesystem (APFS). Unfortunately, APFS seems to be at the root of some poor user experience, where some software doesn’t work properly or at all, and other features like encryption, may not work for enterprise deployments. To make matters worse, bugs and other weirdness abound in the new OS, making it the rockiest release of macOS since 10.7 Lion. In my professional career, Lion was the only version of macOS I’ve seen widely skipped by users and enterprise due to continued problems. High Sierra is quickly gathering the nickname “son of Lion” for similar reasons.
The coming days will be telling for Apple’s future security strategy. An issue of this magnitude like Meltdown is so vital to be patched, the response of “just upgrade to the latest macOS” shouldn’t be the answer, especially with so many users facing usability and reliability issues when they upgrade. Here’s hoping Apple does the right thing and offers a patch to prior macOS releases.