{"id":11014,"date":"2018-01-05T06:30:07","date_gmt":"2018-01-05T14:30:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/05\/news-4785\/"},"modified":"2018-01-05T06:30:07","modified_gmt":"2018-01-05T14:30:07","slug":"news-4785","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/01\/05\/news-4785\/","title":{"rendered":"How Apple users can protect themselves against Spectre and Meltdown"},"content":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Fri, 05 Jan 2018 06:26:00 -0800<\/strong><\/p>\n

Apple has confirmed<\/a> that all Macs, iPhones, iPads and other devices (bar Apple Watch) are vulnerable to the newly-revealed<\/a> Spectre and Meltdown Intel, ARM and AMD processor vulnerabilities.<\/p>\n

Taking advantage of a vulnerability that has been around for 20-years, Meltdown and Spectre exploit a CPU performance feature called \u201cspeculative execution\u201d. Speculative execution exists to improve computer speed by enabling the processor to work on multiple instructions at once, sometimes in non-sequential order.<\/p>\n

\u201cTo increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software,\u201d Apple explains.<\/p>\n

Both Meltdown and Spectre take advantage of speculative execution to access privileged memory — including kernel memory — from a less-privileged user process such as a malicious app running on a device.<\/p>\n

In other words, it\u2019s possible to use these exploits to get your data. Though Apple and others in the industry all say this is very challenging and say that no known instances of use of these flaws have been seen. Yet. Apple says all its devices are vulnerable to the bugs, though Apple Watch is not susceptible to Meltdown.<\/p>\n

Apple has already published software updates that help defend (it calls it \u201cmitigate\u201d) against the Meltdown bug. \u00a0iOS 11.2, macOS 10.13.2, and tvOS 11.2 all provide this protection. Apple hasn\u2019t said anything yet about plans to help secure older systems (which I think it must).<\/p>\n

Apple also plans to release mitigations in Safari to help defend against Spectre. \u201cWe continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,\u201d the company said.<\/p>\n

It\u2019s important all users update their OS and application software as updates are introduced. The company will likely introduce a succession of application and system updates as it seeks to make exploitation of these vulnerabilities increasingly difficult.<\/p>\n

Jailbreaking is pretty much a spent force on iOS, all the same those who do jailbreak their devices are potentially more vulnerable to malware, particularly when vulnerabilities exist at a processor level.<\/p>\n

Apple states that:<\/p>\n

\u201cSince exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.\u201d<\/p>\n

When it comes to device security this is good advice at all times, but even Apple\u2019s App Store has seen rare incidents in which it has been tricked into distributing malware-laden apps \u2013 Xcode Ghost is a particularly good example of this. Such moments are rare \u2013 Apple generally does an excellent job preserving device and platform security.<\/p>\n

When it comes to Spectre, Apple explains that it is possible (though extremely difficult) to\u00a0exploit the weakness in JavaScript running in a web browser. Apple will release an update for Safari for Macs and iOS devices in the next few days. That update will mitigate such exploit techniques.<\/p>\n

Mac and iOS users may want to avoid using browsers from Google, Microsoft or Mozilla. All three firms have confirmed<\/a> that at present their software does not protect iOS users against a potential Spectre attack. This will change \u2013 watch for security updates.<\/p>\n

It\u2019s good practise to be vigilant about what applications you run on your computer (Mac or iOS). Both these newly-revealed exploits need to be running on your system, so it makes sense to avoid installing or using any applications you don\u2019t trust, particularly those acquired from outside of the App Store.<\/p>\n

The oldest advice remains critical: Never click links from people you don\u2019t know. While no known exploits have been reported yet, hackers will certainly be working to develop malware to exploit these flaws.<\/p>\n

Monitor your secure accounts and services for instances of unauthorized access.<\/p>\n

Cloud service providers are also impacted. Amazon<\/a>, Citrix<\/a>, Google<\/a> and Microsoft<\/a> have all issued documents explaining what protections they have put in place.<\/p>\n

Apple says the mitigations against these processors flaws will have no measurable impact on device performance. You may experience a very slight reduction in Safari performance.<\/p>\n

If you are an enterprise user or SME it just became extremely important that you conduct a systems audit. You need to make sure that any older (unpatched) systems are quarantined from your networks and ensure they are not carrying or handling any confidential data. It may well be time to dump those Windows XP databases and leaky legacy technologies.<\/p>\n

The consequences of these revelations will reverberate for a while, I fear. The challenge exists not just in modern but also in older systems, and with millions of those still in use it seems inevitable hackers will create exploits to attack less secure devices.<\/p>\n

This will inevitably create new layers of fire and fury as veteran systems still in use within critical infrastructure deployments are exploited. When it comes to Apple, the perpetual cat and mouse war to secure its platforms just developed a new battle front.<\/p>\n

Google+?<\/strong>\u00a0If you use social media and happen to be a Google+ user, why not\u00a0join\u00a0AppleHolic’s Kool Aid Corner community<\/a>\u00a0and get involved with the conversation as we pursue the spirit of the New Model Apple?<\/p>\n

Got a story? Please\u00a0<\/strong>drop me a line via Twitter<\/a>\u00a0and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Fri, 05 Jan 2018 06:26:00 -0800<\/strong><\/p>\n

\n
\n

Apple has confirmed<\/a> that all Macs, iPhones, iPads and other devices (bar Apple Watch) are vulnerable to the newly-revealed<\/a> Spectre and Meltdown Intel, ARM and AMD processor vulnerabilities.<\/p>\n

What\u2019s the problem?<\/strong><\/h2>\n

Taking advantage of a vulnerability that has been around for 20-years, Meltdown and Spectre exploit a CPU performance feature called \u201cspeculative execution\u201d. Speculative execution exists to improve computer speed by enabling the processor to work on multiple instructions at once, sometimes in non-sequential order.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11078,10480,714],"class_list":["post-11014","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-apple-mac","tag-ios","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11014"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11014\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}