We've updated the title from “Apple retracts confirmation that Meltdown is fixed in 10.12 and 10.11”, which is the sort of thing that makes a fine initial comment but not what the guidelines ask for headlines.
Although I agree more with the original title, as that would be the exact message I need at this time, I would suggest to then at least also include Sierra, and El Capitan in the title as the fact that the document was updated is most relevant for users of those systems. Maybe reflect that something changed as well. Maybe:
About the security content of macOS High Sierra, Sierra and El Capitan [updated]
They have changed the document today (Jan 5th) and removed the confirmation that Meltdown was fixed in 10.12 and 10.11. It was previously thought to be patched but can no longer be considered fixed in those versions of the OS with this change.
In the past few days there were a handful of links dated as far back as 2006, directly explaining the attack vector, or strongly hinting at it. So, the likelihood that NSA and a bunch of other groups knew is 100%.
Unfortunately, Intel knew, too, and didn't bother fixing it in the next 6 generations of their CPUs since they originally admitted the issue with the Intel Core 2.
Interesting question. I think it's fairly reasonable to assume that:
1) The NSA knew about it and had exploits for it.
2) Google Project Zero spoke with the NSA prior to releasing the advisory.
An exploit for such a pervasive vulnerability represents a susbtantial asset to one intelligence agency. Right up until the enemy discovers and develops the same capability.
I would point out that nearly all those smart people at google are working on product teams, not security teams, and that enough good security researchers still go to the NSA.
Also, the NSA still tapped google for up to 6 years, and might have continued doing so to this day if it weren't for Snowden.
But then again, these weren't in his leaked documents so maybe not.
> WH Cyber Coordinator @RobJoyce45 on Intel chip flaw: "NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability."
Because it's very easy to see how this flaw came about.
Branch prediction and caching is necessary for modern processor performance and it turns out that these two features can interact in a way that allows software to employ timing attacks to determine memory state for areas of memory that should't be readable.
So I guess the interesting thing here is that if you visit http://webcache.googleusercontent.com/search?q=cache%3Ahttps... you'll see that yesterday's version of this document claimed that the fix for CVE-2017-5754 was "Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6" (search for "2018" to find "Entry added January 4, 2018").
Now it just says "Available for: macOS High Sierra 10.13.1". (search for "2018" to find "Entry updated January 5, 2018")
An example of why I generally jump to the comments on HN before clicking through. Because the OP's info is sorted alphabetically, there's little guidance on what's supposed to be eye-catching, nevermind that what we're supposed to be concerned with is literally not in the OP (as of posting time).
What fucking about it? Will they release patches for Sierra and older versions or not? This literally doesn't say that. It's simply unacceptable for them to not have released that information publicly. As far as I can tell, they don't plan to release those patches. I tried to upgrade to high Sierra but that doesn't work and kills my machine as I suspected because high Sierra is a fucking piece of shit os that leaves machines unusable, almost bricked. This is the last fucking straw for me. Apple not responding and not saying if they're even going to release a fix makes for a platform that simply cannot be relied on, a platform without a clear upgrade path from Sierra.
Information regarding security fixes are published every time there is an OS update. This one is actually from December, although the following was added today:
> Kernel
> Available for: macOS High Sierra 10.13.1
> Impact: An application may be able to read kernel memory
> Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
- Apple was warned about this half-a-year-ago and cannot give certainty that their previously current OS is patched (High Sierra only was announced on June, about the same time they were warned about Meltdown)
34 comments
[ 83.8 ms ] story [ 3324 ms ] threadAbout the security content of macOS High Sierra, Sierra and El Capitan [updated]
Unfortunately, Intel knew, too, and didn't bother fixing it in the next 6 generations of their CPUs since they originally admitted the issue with the Intel Core 2.
1) The NSA knew about it and had exploits for it. 2) Google Project Zero spoke with the NSA prior to releasing the advisory.
An exploit for such a pervasive vulnerability represents a susbtantial asset to one intelligence agency. Right up until the enemy discovers and develops the same capability.
I'd bet much smarter people work at Google than the NSA.
Also, the NSA still tapped google for up to 6 years, and might have continued doing so to this day if it weren't for Snowden.
But then again, these weren't in his leaked documents so maybe not.
https://twitter.com/nakashimae/status/949451178110279680
/s
Branch prediction and caching is necessary for modern processor performance and it turns out that these two features can interact in a way that allows software to employ timing attacks to determine memory state for areas of memory that should't be readable.
Now it just says "Available for: macOS High Sierra 10.13.1". (search for "2018" to find "Entry updated January 5, 2018")
This is the diff: https://twitter.com/lunixbochs/status/949374313978875904
I wouldn't be surprised if they actually do patch soon (someone posted on Reddit about seeing a Security Update 2018-001 beta in their app store).
> Kernel
> Available for: macOS High Sierra 10.13.1
> Impact: An application may be able to read kernel memory
> Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
- Apple was warned about this half-a-year-ago and cannot give certainty that their previously current OS is patched (High Sierra only was announced on June, about the same time they were warned about Meltdown)
- DragonflyBSD, arguably the underdog of the BSD's was not warned about the bug, like apparently all the other BSD's, and now have commited the patch to their current OS version http://lists.dragonflybsd.org/pipermail/users/2018-January/3...
Apple needs to step up their game.