Apple issues Meltdown fix for Macs running Sierra and El Capitan
A wise person once said, “don’t upgrade to the latest OS X until it’s been patched a few times. And even then, sometimes it isn’t really worth it, though maybe for security stuff.” These words (from before the name change to macOS) have inspired many to stay on older versions of the OS, though lately that meant remaining vulnerable to Meltdown while those on the latest version were protected. Fortunately Apple has brought Sierra and El Capitan into the fix fold.
The latest batch of security updates fix a few random exploits here and there, but the marquee feature is definitely closing the Meltdown vulnerability on Sierra and El Capitan Macs. If you’re running one of those, and who can blame you, you should upgrade as soon as possible.
Interestingly, Jann Horn, the Google Project Zero researcher who was one of several to discover Meltdown and Spectre, is referenced three times in this security update.
First is for the Meltdown fix, which is as expected. But he also appears two more times, with two new vulnerabilities, which, like the recently reported issues, allowed someone to read restricted memory locations.
CVE-2018-4090 and CVE-2018-4093 have had their spots reserved on MITRE, but no descriptions are available yet. There’s no way they’re as serious as Meltdown and Spectre, and their inclusion here may be a coincidence — but similar fixes appear on other Apple platforms (iOS, tvOS), so it at the very least is more than a macOS thing. But don’t be surprised if GPZ announces something new soon.
A separate update for Safari fixes an unrelated exploit on all three most recent OSes, though also one with a GPZ credit; Spectre was addressed, as well as it can be, two weeks ago.