Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Meltdown Flaw in Older Versions of macOS

Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.

Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.

Apple rolled out the first mitigations for the Meltdown attack before the flaws were disclosed, in early December, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Protections against Spectre attacks were added on January 8 with the release of iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2.

The latest security updates released by the tech giant for Mac computers patch 17 vulnerabilities, including a kernel flaw that allows Meltdown attacks (CVE-2017-5754) in macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.

The update for High Sierra also addresses several other kernel vulnerabilities that can be exploited to read restricted memory and execute arbitrary code with elevated privileges, including ones found by Jann Horn, the Google researcher who independently discovered the Meltdown and Spectre weaknesses.

Other macOS vulnerabilities patched on Monday affect the audio, cURL, LinkPresentation, QuartzCore, sandbox, security, WebKit and Wi-Fi components.

The updates for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 also fix the IOHIDFamily local privilege escalation vulnerability disclosed by a researcher on New Year’s Eve. The expert disclosed the flaw without giving Apple the chance to release a patch, arguing that it’s not remotely exploitable and the PoC he made public is not stealthy.

iOS 11.2.5 patches 13 security holes, including in the audio, Bluetooth, kernel, LinkPresentation, QuartzCore, security, and WebKit components. Some of these flaws are the same ones that affect macOS.

Since watchOS and tvOS are also based on iOS, a majority of the vulnerabilities have also been patched in the Apple Watch and Apple TV operating systems.

The WebKit flaws have also been resolved by Apple in iCloud for Windows, iTunes for Windows, and Safari.

Despite being among the first vendors to start releasing patches, Apple is facing class action lawsuits over the Meltdown and Spectre CPU vulnerabilities. Apple’s processors are affected due to the fact that they use ARM technology.

Related: Apple Silently Patched macOS Security Bypass Flaw

Related: Apple Patches Critical Root Access Flaw in macOS

Related: Apple Patches Dangerous KRACK Wi-Fi Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.