On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late. (If you need a full rundown about what these processor bugs entail and how they work, take a moment to read Paul Ducklin’s comprehensive post on the topic.)
This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data.
Thankfully, these flaws can be mitigated at an operating system or software level when vendors make patches available. The two Spectre vulnerabilities can be triggered via Javascript running in a web browser, so the iOS 11.2.2 update specifically makes changes to Apple’s Safari and WebKit to mitigate their effects.
There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well.
Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix.
So if we got a Spectre patch yesterday and Spectre’s a lower priority, where is the fix for Meltdown? After all, Meltdown is not mitigated by this iOS patch. That’s because Apple already released an update to mitigate Meltdown: The Meltdown fix was in the iOS 11.2 update back in December, though we didn’t know it at the time. (If you check the iOS 11.2 patch notes, you’ll see that the full details on the Kernel-level update, and the CVE addressed, were only added on 4 January.)
In fact, the vast majority of us didn’t know about Meltdown’s existence until January. However, according to the official Meltdown research paper, the researchers who discovered Meltdown were able to effectively work within a responsible disclosure period with vendors to get patches out for OSX, Windows and Linux prior to public disclosure. So kudos to all involved there and hooray for coordinated disclosure.
If you’re an iOS user on iPhone or iPad, this iOS 11.2.2 update should already be available to you to download and install – as always, we recommend you patch as soon as you can. Hopefully you’ve already applied the December iOS 11.2 update to get the fix for Meltdown!
(Are you a Google Android user wondering where your update is? Google issued a patch for you back on 5 January for the two Spectre vulns and the Meltdown vulnerability.)