Yesterday, we told you about a pair of exploits called Meltdown and Spectre. We focused on the latter because it can affect ARM flavored processors which are used on mobile devices like Android and iOS smartphones. As we told you, Google's Android Security patch for January will help protect Android users
from having passwords held in a browser, or in a password manager, stolen by a nameless, faceless hacker.
Apple has joined the club. The company said today that all of its Macs and iOS devices are vulnerable to the same issues. However, Apple says that it has already released mitigations in iOS 11.2 that protect iPhone units, iPod touches and iPad tablets from Meltdown. Apple Watch
is not at risk since it runs watchOS. Apple says that despite fears from users, these updates have not slowed down the performance of the Apple devices that received them. Another update is coming to protect the Safari browser from Spectre. Apple says that this update can slow the browser, but by no more than 2.5%.
"The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device."-Apple
Apple says that currently there are no known exploits that are impacting users at this time. Apple also added that since it would take a malicious app to set off Meltdown or Spectre, it recommends that iOS and Mac users install apps from a trusted source only, such as the App Store.