Apple’s Mitigations for the Meltdown and Spectre CPU Architecture Bugs: Long-Running Update Doesn’t Jive With Description
A few days ago I wrote about the CPU bug issues in Meltdown and Spectre CPU Architecture Bugs: Apple Has Partially Addressed with No Performance Impact?.
Yesterday, Apple issued security patches that on the face of it are small changes. But it appears that Apple is not telling the whole truth (yet again). I say that because a simple patch should not take 25 minutes to install with triple-hiccup reboots that surely are a firmware update as well—on an iMac Pro, 2017 iMac 5K, and 2013 Mac Pro.
There appears to be something much more involved going on here than Apple is documenting.
About the security content of macOS High Sierra 10.13.2 Supplemental Update
macOS High Sierra 10.13.2 Supplemental Update
Released January 8, 2018
Available for: macOS High Sierra 10.13.2
Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
Seriously? 25 minutes to install a patch to Safari and WebKit? It’s just not a credible story. It doesn’t take 25 minutes, 3 reboots and what appears to be a firmware update and a 400+ MB download to patch Safari and WebKit. Or maybe it does, who can say but Apple. The description versus the reality make me trust Apple less.
More on Spectre and Meltdown
The Register broke the news in early January, and now we see that Apple has already been hard at work to deal with the issue.
- Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it
- Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign — Speed hits loom, other OSes need fixes
- Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs AMD, Arm also affected by data-leak design blunders, Chipzilla hit hardest
- Here come the lawyers! Intel slapped with three Meltdown bug lawsuits Class-actions start piling up after El Reg blows lid on CPU security cockup