On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late. (If you need a full rundown about what these processor bugs entail and how they work, take a moment to read Paul Ducklin’s comprehensive post on the topic.)
This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data.
Thankfully, these flaws can be mitigated at an operating system or software level when vendors make patches available. The two Spectre vulnerabilities can be triggered via Javascript running in a web browser, so the iOS 11.2.2 update specifically makes changes to Apple’s Safari and WebKit to mitigate their effects.
There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well.
Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix.
So if we got a Spectre patch yesterday and Spectre’s a lower priority, where is the fix for Meltdown? After all, Meltdown is not mitigated by this iOS patch. That’s because Apple already released an update to mitigate Meltdown: The Meltdown fix was in the iOS 11.2 update back in December, though we didn’t know it at the time. (If you check the iOS 11.2 patch notes, you’ll see that the full details on the Kernel-level update, and the CVE addressed, were only added on 4 January.)
In fact, the vast majority of us didn’t know about Meltdown’s existence until January. However, according to the official Meltdown research paper, the researchers who discovered Meltdown were able to effectively work within a responsible disclosure period with vendors to get patches out for OSX, Windows and Linux prior to public disclosure. So kudos to all involved there and hooray for coordinated disclosure.
If you’re an iOS user on iPhone or iPad, this iOS 11.2.2 update should already be available to you to download and install – as always, we recommend you patch as soon as you can. Hopefully you’ve already applied the December iOS 11.2 update to get the fix for Meltdown!
(Are you a Google Android user wondering where your update is? Google issued a patch for you back on 5 January for the two Spectre vulns and the Meltdown vulnerability.)
Naked Security
Apple issues Spectre fix with iOS 11.2.2 update
On January 8, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines as of late.
N.
If Meltdown primarily affects Intel chips, what necessitated Apple to push out of a fix for iOS back in December? (I believe I read that AMD chips were vulnerable to Meltdown, but to a much lesser extent than Intel’s. Perhaps the ARM architecture has a similar, reduced exposure?)
Also, a follow-up question on Apple. Apple has stopped issuing any updates for my older, 32-bit iPad. Shouldn’t they be at least offering security updates, if not feature updates?? I think there’s an article in there for someone.
Thanks!
Steve
Apple has used Intel CPU chips for years.
Paul Ducklin
The OP was asking about iOS, which runs on ARM chips.
AFAIK, both macOS (Intel CPUs) and iOS (ARMs) got updates late last year to provide some mitigation against the F**CKWIT problem caused by the fact that modern chips sometimes “run ahead of themselves” by executing machine code instructions internally before they’re needed, in the hope of saving time.
(Turns out there’s a cost to security because if these “just in case” instructions turn out to be prohibited, it may be too late to stop an attacker figuring out what happened inside the CPU.)
So far we know about two main classes of attack against this “run ahead of yourself” problem, broadly known as Meltdown and Spectre. They work similarly but affect different parts of different chips to different degrees, and need a range of different mitigations. Thee mitigations may include patches to the microcode of the CPU itself, patches to the OS, patches in some applications such as browsers…
TL;DR, you can almost certainly expect a whole range of different patches, updates and mitigations and so on for the F**CKWIT problem, from lots of different vendors, over the next few weeks. Maybe months. This is one of Apple’s updates; it patches Safari and WebKit, Apple’s browser codebases.
Laurence Marks
Last time that Intel had a serious chip bug, the FDIV bug, they replaced the chips. Why are consumers letting them get away with being so stingy this time?
Paul Ducklin
The division bug was a much more clear-cut fault: there was an error in the hardwired constants used in the division algorithm and IIRC no microcode mitigation was possible.
It’s easy to diss Intel and decide they owe you money, but in respect of this flaw [a] this is how chips have worked for 20 years [b] it’s not only Intel chips that have been designed this way.
Anais Gonzalez
I do not know if this update 11.2.2. was suppose to make it better, but it really not. first as soon as the update was completely it automatically deactivated my touch id. I cannot set it up, cannot put it back to enable it, nothing it will not work. Also my battery runs out quick and the phone heats up quickly as well, not did it only give me that problem but the recognition to have the home screen button on my phone does not work at all. they say is a hardware problem, no it began with the damn download of the updated software that is suppose to make it better. please help.
Paul Ducklin
As far as I am aware, the 11.2.2 update only changed the Safari ap and WebView component (which you can think of as the mini-Safari browser window that other apps use). So there wasn’t any major change to the iOS operating system internals. So it is really hard to see how this could have caused the symptoms you are describing. I’m afraid I can’t offer you any more than that.