“Meltdown” and “Spectre,” vulnerabilities help/fix

Keep macOS updated. To learn how to do that please read How to update the software on your Mac - Apple Support. That particular vulnerability was at least partially addressed a month ago. Additional macOS security updates will be required.

CPU vulnerabilities cannot be fixed. There can only be defenses implemented addressing their potential exploits. In the case of macOS, those updates can only come from Apple.

See About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support for more information.

Basically at the moment ensure that you are updated to 11.13.2, and watch out over the next few days for an uocoming update to the Safari web browser.

In the meantime, if you use Safari try to avoid any less trustworthy sites.

Apple may consider it serious enough to install a security update automatically.

To determine that, open System Preferences > App Store, and select "Automatically check for updates" and "Install system data files and security updates."

That's the minimum I recommend. Choosing to leave other options de-selected is up to you, so that you can know what's required and install updates at a time that's best for your needs.

I'd be remiss if I didn't point out that exploiting such a vulnerability would require your active participation. In other words you would need to deliberately download and install something on your Mac: "Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store."

Knowing what you're downloading and why is always be a fundamental defense. Excerpted from Effective defenses against malware and other threats:

Never install something without first knowing what it is, what it does, how it works, and how to get rid of it when you don't want it any more.

In that case read Upgrading macOS without fear.

Threats will always exist though. You just have to discriminate between what's real and what's fearmongering.

The typical fearmongering, sky-is-falling hyperventilating media is simply common. Real threats—those that don't require esoteric hardware vulnerability exploits—are simply mundane. They're the kind that don't make headlines.

Yes - it will either appear as a Safari update on its own, or with a wider High Sierra update (which, if the current information is accurate would not a component of the CPU vulnerability mitigation).

I'd also add that if you use an alternative browser, check with it's developer as to whether it has been patched. For example Firefox had a temporary mitigation added a couple of months ago, but was very recently (supposedly) properly patched (version 57.0.4 is the latest version, and would be a good choice if you wanted a temporary patched browser until the official Safari fix is out.

(apologies for the "supposedly"'s and the "If accurate", but I've just spent my last two working days researching the issue to provide advice to my colleges, in order to help manage client networks, and what is clear is that the whole situation is still evolving)

I wonder if Apple will bring out this fix for older Mac OS like Yosemite? I am stuck to this version, as i am a small business who uses Adobe CS5 suite (Illustrator and Photoshop, without that nasty cloud license bull) and will not and cannot update. Because it will not work and forces me to pay 30± EUR a month for software i allready have.

TLDR: Apple, will you fix Yosemite MacOS as well???

Okay, sorry, thanks for the reminder. But i know Apple itself isnt reading this at all... So thanks for you heads up.

iPod5thgen wrote:

I wonder if Apple will bring out this fix for older Mac OS like Yosemite?

Nobody knows, but again you would need to deliberately download, install, and run something capable of exploiting the vulnerability... an exploit which has yet to be implemented and in all likelihood will never be implemented.

Of course it's always best to use the latest macOS version that your hardware can use, and if you choose not to do that then you forfeit those advantages. It's up to you.

This can also be done by websites and obscure scripts and whatnot. So i'm trying out something and upgrade to High Sierra. Got no choice. Don't want to risk this potential threat. Thanks for your time, all of you!

The problem is, i tried Affinity and it failed at the most basic drawing shapes and extruding them onto eachother. Then most instructions are made to 'illustrate' the way settings are changed, profiles for specific lines (cut-contour) are a pain if you have to 'convert-think' these back to this new way. It's basically saying; download linux and openoffice while you used to win7 with office. It's just not the same. But thanks for your input. BTW, in my skillset the "limitations" of CS5 is not a problem what i do with it. It's utterly nonsense that i would need a CC license to open a simple document which was drawn up. It's all vectorbased. Adobe just forces it in everybody's throat.

Maybe try Graphic then. I only recently bought Affinity. I had been using Logoist, Graphic, and Pixelmator before. I haven't used Affinity much. The primary reason I bought Affinity is because it doesn't force me to use that awful "dark mode". I want to support developers who respect their customers like that.

Note a new High Sierra Supplemental Update containing the update for Safari have just been published. These reference Spectre vulnerability mitigation as their security content.

There is also an iOS update as well.

(edit to clarify that the Safari update is CONTAINED in the supplemental update for High Sierra. It is separate for supported older versions. )

John Galt wrote:

... Additional macOS security updates will be required.

As promised:

Today's Topics:

1. APPLE-SA-2018-1-8-1 iOS 11.2.2 (Apple Product Security)

2. APPLE-SA-2018-1-8-3 Safari 11.0.2 (Apple Product Security)

3. APPLE-SA-2018-1-8-2 macOS High Sierra 10.13.2 Supplemental

Update (Apple Product Security)

----------------------------------------------------------------------

macOS High Sierra 10.13.2 Supplemental Update is now available

and addresses the following:

Available for: macOS High Sierra 10.13.2

Description: macOS High Sierra 10.13.2 Supplemental Update includes

security improvements to Safari and WebKit to mitigate the effects of

Spectre (CVE-2017-5753 and CVE-2017-5715).

Updates are also available for El Cap and Sierra and their respective Safari versions.

Sorry - I should have clarified that 11.13.2 IS patched as far as the core OS is concerned. Safari still requires a patch which is known to be in development and reported to be 'a few days' away.

Hello RRMCo,

This is just typical media hype. That is their job. You don't need to worry about it. Let Apple worry about any actual engineering issues. That is their job.