16 comments

[ 5.2 ms ] story [ 47.6 ms ] thread
Funny, support said they weren't effected when I called them after I absently mindedly installed the next macOS 'patch' and thought it had bricked my Mac Pro. This lead to a long conversation with support where they showed me that the indirect jump bug had been fixed, but they never said anything about Spectre...
I want to give the support person the benefit of the doubt that they weren't fully informed, but they should not have been making statements like that if they weren't.
better link: https://support.apple.com/en-us/HT208394

>"Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2."

I have older hardware with iOS 9.3.5 ( without patch )

(comment deleted)
Title of article : "Apple Says All Macs, iPhones and iPads Exposed to Chip Security Flaws"

First paragraph: "Apple Inc. said all Mac computers and iOS devices, like iPhones and iPads, are affected by chip security flaws unearthed this week, but the company stressed there are no known exploits impacting users."

What's the inconsistency?
None.

Propagating the salient point of the article allows the useful information to be communicated, without loading needless megabytes of adtech UI in your browser.

You should still read the article, and not blindly trust internet randos, but as participant in an aggregator, this kind of behavior is sometimes helpful, as long as things don’t get spammy.

I could see that, though the title and abstract are redundant here.
How are they affected yet no exploits can impact users?
No one has invested effort in packaging up an easy-to-use developer kit for distribution yet.

The hole is there, and publicly known as of today, but nothing a high school script kiddie can trivially leverage for good grades. Yet.

No one is giving out payloads and telling people they can try this at home, and watch it go. Nothing is known to be in a pastebin or git repo at the moment. This doesn’t mean the black market isn’t crafting kits for sale at a high price right now for big game hunting though.

Okay that makes sense. I understood it as the interface wasn't exposed to anyone that could exploit it. However they meant that no exploit methods had been developed yet.
The exploit methods that the researchers uncovered have not been provided to the world at large. You can bet that test kits are in the hands of large companies right now, to aid security patch development. If those test kits, intended for white hat purposes get leaked in any way, for any reason, it's out in the wild. That's not supposed to happen, and there's no way for the layman to know the status of a zero day in the wild, until explicitly reported as discovered.

Any company or project providing a patch, has a way of testing the validity of the patch. Those test kits can be weaponized, but not without a degree of skill. Anyone who tests software knows this.