Apple rolls out more Meltdown and Spectre fixes as the Linux founder calls Intel’s patches “utter garbage”
A serious design flaw present in all Intel’s CPUs made in the past ten years was recently found to be leaving devices vulnerable to hackers, requiring an operating system (OS) update in order to fix it.
The so-called Meltdown flaw affects all systems running Intel x86 chips and is present across all popular operating systems, including Windows, Linux and macOS. A second flaw, dubbed Spectre, was initially thought to only affect Intel, AMD and ARM cores, but Nvidia recently joined that list.
Since the disclosure, Google, Microsoft and chip manufacturers have been scrambling to fix the Spectre and Meltdown vulnerabilities.
Apple recently confirmed all iPhones and iPads are affected by both Meltdown and Spectre, and the Apple Watch is affected by Spectre. It already issued fixes for the flaws as part of iOS 11.2.2 and has now rolled out a further patch to protect older Mac devices.
READ NEXT: Upgrade to iOS 11.2.2
In particular, iOS 11.2, MacOS 10.13.2 and tvOS 11.2 will protect the devices against Meltdown, and iOS 11.2.2 will offer a fix for the rest of the vulnerabilities. The tech giant has additionally released a fix for Meltdown, for the latest versions of macOS Sierra (10.12.6), and OS X El Capitan (10.11.6). These operating systems were not initially patched, with Apple choosing to release a so-called “supplemental security update” for macOS 10.13.2.
Intel has been hit with at least three class-action lawsuits by plaintiffs in California, Oregon and Indiana seeking compensation for the flaws. All three criticise Intel for not disclosing the vulnerabilites earlier, despite being told by security researchers about them in June. The company was also heavily criticised for the fact many of the fixes issued by manufacturers and software developers have been slowing devices down.
“We believe the performance impact of these updates is highly workload dependent,” Krzanich said. “We expect some may have a larger impact than others, so we’ll continue working with the industry to minimise the impact on those workloads over time.”
None of these criticisms, however, have been quite as brutal as those more recently made by Linux founder Linus Torvalds. In a post on to the Linux kernel mailing list, Torvalds described Intel’s patches as “complete and utter garbage,” adding “Somebody isn’t telling the truth here. Somebody is pushing complete garbage for unclear reasons.”
And while manufacturers attempt to plug the holes, hackers have been working on fake patches, riddled with malware and distributed via dubious websites claiming to be supported by security authorities.
This malware, known as Smoke Loader, looks to be an official patch but will actually let malware loose on your computer, posing potentially a greater threat than the original Meltdown and Spectre vulnerabilities.
The malware-infested patch was discovered by security firm MalwareBytes, which reported it found a particularly nasty variation on a German spoof site, sicherheit-informationstechnik.bid. The website offers advice about the vulnerabilities and then a download link with a zip file attached.
The download is called Intel-AMD-SecurityPatch-10-1-v1.exe – a filename that looks pretty legitimate, but when users install it onto their computer, they’ll find it’s actually laced with the Smoke Loader malware, causing the computer to connect to domains, sending encrypted information to them via additional payloads.
“The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update,” researcher Jerome Segura wrote in a blog post.
He added the company contacted Comodo and CloudFlare to report the dodgy download and immediately, they stopped the malware from operating. The company added its own software protected against the malware immediately.
“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns,” Segura added. “This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.”
Meltdown and Spectre: What are they?
A security blog post from Google researchers explains that its Project Zero team found serious security flaws in Intel, AMD and ARM chips caused by “speculative execution” – a technique used by most modern processors (CPUs) to optimise performance – last year.
Project Zero researcher Jann Horn showed that hackers could take advantage of this flaw to read system memory that should be out of bounds. For example, they could use the bug to read passwords, encryption keys or private data in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine.
“These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them,” the blog continued.
As soon as Google learned of the attack, it said it updated its systems and affected products. It also began working with hardware and software manufacturers to help protect their users and the web.
The biggest issue, beside the security vulnerability, though is that fixing the flaw will cause “significant declines in performance for the affected machines”. This means your computer or phone could become as much as 30% slower in the pursuit of being safer.
Google has published a technical breakdown. Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday.