Apple has confirmed that nearly all of its devices have been affected by the two major chip-level security flaws found earlier this week, Meltdown and Spectre.
Separately, US-CERT has changed its guidance for protection from replacing processor boards to simply applying patches.
And, Shadow Brokers is purportedly offering the first exploits for the issues, which, as we previously reported, can be described as “side channel” attacks which allow attackers to steal passwords, customer data, IP and more stored in the memory of programs running on a victim’s machine. They work across PCs, mobile devices and in the cloud — and in the latter scenario, this could theoretically allow an attacker in a guest VM to steal data from other customers’ VMs on the same public cloud server.
As for Apple, it admitted that all iPhones, iPads and Mac computers worldwide are vulnerable to the processor security flaws, but the Cupertino giant stressed that no customers have been yet targeted by exploits.
"All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time," Apple said in blog post. "These issues apply to all modern processors and affect nearly all computing devices and operating systems."
That could change soon. Digital Shadows’ teams of security researchers have discovered that Shadow Brokers is offering purported exploits for sale on its Scylla Hacking Store, for $8,900.
“[Exploits] would likely involve users stealing this information to then take over machines and accounts,” said Digital Shadows, in an analysis. “Internet of things (IoT) devices are also susceptible as they run the same type of processors, and people are less likely to update these accordingly the same way they would their personal or work computers. A dedicated attacker could decide to use these vulnerabilities to find flaws and default passwords in IoT devices, which we saw led to the creation of the Mirai botnet.”
As Digital Shadows noted, with a price tag of many thousands of dollars, “Criminals do not need to use Meltdown and Spectre for their attacks if they can profit in other ways.” But the risk of what could happen if a successful exploit does make the rounds is immense.
Thus, Safari patch has been issued for the Meltdown bug, and Apple said that it’s working on a fix for Spectre, which should be available “in the coming days.”
Interestingly, Meltdown does not affect one device: The Apple Watch.
Other OS vendors are also addressing the problem: Google’s Android phones and Chrome are already protected with the latest security updates, and Microsoft has started to release patches—though it said it could adversely affect some devices, including sparking the Blue Screen of Death.
As Alert Logic noted, many vendors were aware and working on the issues before news broke to the public that virtually the entire internet is at risk.
“Apple added protection for Meltdown in the macOS update that was released on December 6,” it said in an overview of the problems. “Google pushed out an update for Chrome OS on December 15. Microsoft rushed out patches for Windows ahead of the standard Patch Tuesday schedule when news of the vulnerabilities became public. There are many variants of Linux out there, and Linux developers are scrambling to develop and test patches as quickly as possible.”
Meanwhile, the issue of whether the cure is worse than the disease has been a running discussion since the flaws were revealed earlier in the week, with some security researchers saying that the mitigations could reduce performance in the cloud by as much as 30%.
“The patch to protect against Meltdown might also affect performance,” Alert Logic said. “Your mileage will vary depending on the age and architecture of the processor you’re using, as well as what types of processing demands you put on it. Just know up front that you might see a noticeable decline in speed and performance once you’ve patched.”