By Selena Larson and Jethro Mullen, CNN Money
Apple users haven’t been spared in the great computer chip debacle.
The U.S. tech giant has confirmed that all its iPhones, iPads and Mac computers are affected by two recently disclosed processor flaws called Spectre and Meltdown.
(Cybersecurity expert Bryce Boland explains how the flaws, called Meltdown and Spectre, affect computers and smartphones and what it will take to fix the vulnerabilities. Courtesy of CNN Money and YouTube. Posted on Jan 4, 2018)
So what should Apple (AAPL) users do?
For starters, make sure your iPhone, iPads, computers and all apps you use are kept up to date to help protect against hackers exploiting the flaws.
In an announcement Thursday, Apple (AAPL) said it has released patches to defend against Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2.
Apple will release patches in its Safari browser to help defend against Spectre “in the coming days,” the company added.
But it’s still working on other fixes that users should look out for.
“We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” Apple said.
Pointing out that the risks are likely to come from “a malicious app,” Apple also advised users to download software “only from trusted sources such as the App Store.”
Like other big tech companies that are scrambling to deal with the problem, Apple sought also to reassure users.
“There are no known exploits impacting customers at this time,” it said.
The Apple Watch isn’t impacted by the Meltdown flaw.
Researchers first announced the two flaws affecting virtually all computer processors on Wednesday.
Here’s the issue:
Modern processors are designed to perform something called “speculative execution” to enhance performance.
Data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.
Researchers said almost every computing system — desktops, laptops, smartphones, and cloud servers — is affected by the Spectre bug. Meltdown appears to be specific to chips made by Intel.
Other major companies rolling out fixes include Microsoft (MSFT), Amazon (AMZN) and Google(GOOGL).
Fixing the problems will slow a computer’s performance, experts say, especially on devices more than five years old.
Intel (INTC) said that “for the average user,” the performance impact on products using the processors from the last five years “should not be significant and will be mitigated over time.”
The bigger challenge appears to be for companies that deal with a lot of network traffic and considerable processing power — things like cloud computing providers, retailers that process consumer transactions and medical systems that crunch data.
Some experts say that to completely get rid of the risks created by the flaws, the affected processors need to be replaced entirely. But that’s not realistically going to happen anytime soon.
There aren’t any processors available at the moment that can replace the vulnerable ones and still provide the same kind of functionality.
Experts say that it will take years to bring to market new chips that can perform the same tasks both safely and effectively.
Original post http://money.cnn.com/2018/01/04/technology/business/apple-macs-ios-spectre-meltdown/index.html
Update Your Software Today. Seriously.
Chances are you own a smartphone or computer that contains a chip hackers could potentially exploit to get access to sensitive information.
That’s because billions of devices are affected by two major security flaws revealed by cybersecurity researchers on Wednesday.
The flaws — dubbed Meltdown and Spectre — affect processing chips made by Intel (INTC), AMD (AMD) and ARM Holdings.
That means if you use a desktop, laptop, smartphone or cloud service from Apple (AAPL), Google (GOOGL), Amazon (AMZN) or Microsoft (MSFT) you might be vulnerable.
Don’t panic. Here’s what you should do.
1. Update your software!
Spectre is the main threat because it is present in billions of devices. Meltdown appears to affect only Intel chips.
The U.S. government-funded Software Engineering Institute initially said vulnerable chips may eventually have to be replaced altogether. It subsequently updated its guidance to say that software updates can provide a partial fix for now.
“Because chip replacements are not going to happen tomorrow, realistically, software is being updated,” Sitaram Chamarty, a security researcher at Tata Consultancy Services, told CNNMoney.
Chamarty says that while Spectre may be tougher to combat, the threat from Meltdown can be mitigated through the software updates.
“It has to kind of trickle down, hopefully in another few days it will all be done,” he added.
Intel says it is working with AMD and ARM to fix the problem, and many tech firms have already released — or are about to release — software updates to secure their devices.
Microsoft has already released security updates for Windows users, and is taking steps to protect users of its cloud computing services. Google and Amazon are also updating their cloud services.
Apple said Thursday that it had already issued fixes for Meltdown for its various operating systems, and added that it plans to release similar fixes in its Safari browser “to help defend against Spectre” in the coming days.
“We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” Apple said.
Dell (DVMT) said it was “working with Intel and others in the industry to investigate and address the issue.” It directed customers to Intel’s statement, and said it would post “a list of affected platforms and remediation” soon.
2. Brace yourself for slower devices
An unfortunate downside of the software updates is that they might slow your computers and smartphones.
Patches deployed to combat the flaws could slow computers by as much as 30% depending on what you’re trying to do, according to estimates posted on Linux message boards.
Intel said it does not expect users to experience any performance issues. Experts disagree.
“Processor slowdowns trickle down from data centers to everyone using the internet,” said Bryce Boland, chief technology officer for Asia at cybersecurity firm FireEye.
“People will feel many of their mobile devices taking a performance hit.”
Chamarty says removing the vulnerability requires a fundamental change in the way modern processors operate — a function called “speculative execution” — a change that could drastically reduce speeds.
“If you’re going to disable this, then you’re back to … many, many years ago, we’re talking 10 years,” he added. “Imagine running at those speeds now.”
3. Wait, watch and hope
The good news: The vulnerabilities provide new avenues for hackers to mount attacks, but analysts say doing so is not straightforward.
“The effort to mount this attack is quite significant,” Chamarty said.
The heavy lifting could dissuade hackers from targeting anyone but “big fish” such as heads of government agencies, he added.
But the downside is that there isn’t really a permanent solution at the moment, meaning hackers could have plenty of time to figure out a way in.
“Resolving this issue will take time and incur costs,” Boland said. “Vulnerable systems will likely remain in operation for decades.”
Chamarty warned that even the mass replacement of computer chips may not necessarily help.
“It seems to be a cost of the way processors are currently designed, there’s no true solution currently in sight,” he said.
“If somebody finds an ingenious method by which [attacks] can be made more generic, less cumbersome to mount… then we have real problems.”
Selena Larson, Yazhou Sun and Vinayak Dewan contributed to this report
Original post http://money.cnn.com/2018/01/04/technology/spectre-meltdown-cpu-flaws-explainer/index.html?iid=EL