Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Apple explains that Meltdown and Spectre take advantage of a CPU performance feature called speculative execution.
Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
Meltdown and Spectre abuse speculative execution to access privileged memory, including the kernel's, from a less privileged user process.
Apple says its Meltdown fixes have shown no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6. For Spectre, Apple's fixes resulted in an impact of less than 2.5% on the JetStream benchmark and no measurable impact was demonstrated on the Speedometer and ARES-6 tests.
Fixes for Meltdown and Spectre are said to have a much greater impact on Linux and Windows devices with a recent report claiming users could see a 5% - 30% hit in performance.
Please follow iClarified on Twitter, Facebook, Google+, or RSS for updates.