Security Experts:

Apple Patches Meltdown Flaw in Older Versions of macOS

Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.

Apple rolled out the first mitigations for the Meltdown attack before the flaws were disclosed, in early December, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Protections against Spectre attacks were added on January 8 with the release of iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2.

The latest security updates released by the tech giant for Mac computers patch 17 vulnerabilities, including a kernel flaw that allows Meltdown attacks (CVE-2017-5754) in macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.

The update for High Sierra also addresses several other kernel vulnerabilities that can be exploited to read restricted memory and execute arbitrary code with elevated privileges, including ones found by Jann Horn, the Google researcher who independently discovered the Meltdown and Spectre weaknesses.

Other macOS vulnerabilities patched on Monday affect the audio, cURL, LinkPresentation, QuartzCore, sandbox, security, WebKit and Wi-Fi components.

The updates for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 also fix the IOHIDFamily local privilege escalation vulnerability disclosed by a researcher on New Year’s Eve. The expert disclosed the flaw without giving Apple the chance to release a patch, arguing that it’s not remotely exploitable and the PoC he made public is not stealthy.

iOS 11.2.5 patches 13 security holes, including in the audio, Bluetooth, kernel, LinkPresentation, QuartzCore, security, and WebKit components. Some of these flaws are the same ones that affect macOS.

Since watchOS and tvOS are also based on iOS, a majority of the vulnerabilities have also been patched in the Apple Watch and Apple TV operating systems.

The WebKit flaws have also been resolved by Apple in iCloud for Windows, iTunes for Windows, and Safari.

Despite being among the first vendors to start releasing patches, Apple is facing class action lawsuits over the Meltdown and Spectre CPU vulnerabilities. Apple’s processors are affected due to the fact that they use ARM technology.

Related: Apple Silently Patched macOS Security Bypass Flaw

Related: Apple Patches Critical Root Access Flaw in macOS

Related: Apple Patches Dangerous KRACK Wi-Fi Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.