So if we got a Spectre patch yesterday and Spectre’s a lower priority, where is the fix for Meltdown? After all, Meltdown is not mitigated by this iOS patch. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix. Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. The two Spectre vulnerabilities can be triggered via Javascript running in a web browser, so the iOS 11.2.2 update specifically makes changes to Apple’s Safari and WebKit to mitigate their effects. Thankfully, these flaws can be mitigated at an operating system or software level when vendors make patches available. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data. This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. (If you need a full rundown about what these processor bugs entail and how they work, take a moment to read Paul Ducklin’s comprehensive post on the topic.) On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |