In a security notice published Thursday night on its website, Apple disclosed that "all Mac systems and iOS devices" were affected by two recently disclosed security flaws, which researchers have nicknamed "Spectre" and "Meltdown." The announcement effectively means that the two vulnerabilities are likely the most common in computing history, as they affect computers running multiple operating systems and which utilize many different mass-produced central processing units that have been manufactured for decades.
The bugs were first discovered by security researchers working with Google's Project Zero initiative, which is dedicated to finding and exposing critical vulnerabilities in popular software and hardware. They were first disclosed last June to chip-makers Intel, AMD and ARM, and companies like Apple and Microsoft, which make hardware and software. There have been no known examples of malicious software that can take advantage of the security holes. Nonetheless, Google has emphasized that it would be essentially impossible to find such code because it would be undetectable by conventional anti-virus tools.
Both AMD and Intel have become the focus of criticism for their responses to the Meltdown and Spectre disclosures. In the case of AMD, the company has been condemned for releasing a software update to the Linux kernel that included documentation that inadvertently disclosed the existence of the security holes — which allowed third-party developers to realize that the two security holes existed before Project Zero had disclosed them, and before they had been completely patched by various operating system vendors. Microsoft released a fix for its Windows operating system in November, but Apple has only patched its newest operating system releases so far.
Intel has come under attack for its misleading disclosure of the bugs; in particular, Intel released an obfuscatory press release that seemed to imply that rival companies' processors were just as vulnerable to the bug as Intel's processors — in effect, falsely deflecting blame. In actuality, Intel was more affected by the bug than other chip-makers; as Ars Technica noted, the "Meltdown" bug affects nearly all Intel chips designed for years, as well as just a few chips designed by ARM, meaning Intel actually has significantly more liability than ARM or AMD.
Additionally, Intel's CEO Brian Krzanich has come under fire after MarketWatch reported that he had sold millions of dollars in stock after the company had been informed that almost every processor it had manufactured since 1995 had two severe security vulnerabilities, but before that information were made public. If Krzanich was aware of the disclosure, the sale would likely be a criminal violation of insider trading laws.
In a response to MarketWatch, an Intel representative said that the stock sales were "unrelated" to the company's knowledge of the Meltdown and Spectre bugs.
Even after the two vulnerabilities are fully patched by operating system companies, they are still likely to cause trouble worldwide due to the fact that many people refuse or don't know how to run updated software. The recent "WannaCry" virus that wreaked havoc worldwide on many old computers running Windows XP was an example of this phenomenon.
Shares