We’ve been waiting to hear from Apple ever since we first heard about the far-reaching Meltdown and Spectre CPU flaws earlier this week, and the company has finally responded with some not-so-good news: All Mac and iOS devices are affected. That’s right, all of them. However, Apple assures us there’s no reason to panic.
As we’ve been learning all week, Apple explains that the bugs are related to a CPU feature called speculative execution, which seeks to boost speeds by operating on multiple tasks at the same time: “To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.” The Meltdown and Spectre exploits would theoretically be able to trick that process in order to gain access to privileged data.
Why this matters: Apple isn’t just one of the largest phone makers in the world. It’s also one of the largest chip makers, shipping in more than 200 million CPUs a year. Like Intel and Google, Apple is taking the appropriate steps to mitigate the issues caused by Meltdown and Spectre, but the real question is how it will affect future chip design. The risk may be small, but changes will still need to be made. All eyes will be on the new iPad, iPhone, and Apple Watch chips, as Apple will likely be at the forefront of a new industry standard for dealing with speculative execution.
Mitigating the risk
As previously discovered, Apple has already released mitigations for the Intel chip flaw in Macs as part of macOS 10.13.2 released in December to help defend against Meltdown exploits. Apple also says iOS 11.2 and tvOS 11.2 contained Meltdown mitigations as well, meaning that iPhones, iPads, and Apple TV devices are as vulnerable as PCs. Android phones are only susceptible to Spectre’s flaw, according to Google’s research.
Most notably, Apple says that testing with public benchmarks such as GeekBench 4, Speedometer, and JetStream showed the Meltdown mitigations “resulted in no measurable reduction in the performance of macOS and iOS.”
With Spectre, Apple echoes Google’s findings that the bug is “extremely difficult to exploit” by a hacker using an app but “can be potentially exploited in JavaScript running in a web browser.” An upcoming Safari update will mitigate the risk, though it’s unclear whether it will bring a similar feature to Chrome’s “strict site isolation” or more simply hide the leaked data from potential attacks. Like Meltdown, Apple says these mitigations “will have no measurable impact” on Safari, citing tests performed on the Speedometer and ARES-6, as well as a JetStream benchmark showing “an impact of less than 2.5 percent.”
Furthermore, Apple is continuing to develop Spectre mitigations within its operating systems and will release them in upcoming iOS, macOS, and tvOS updates. Of note, Apple says Apple Watch is not susceptible to the Spectre or Meltdown bugs.
Apple has been making its own A-series systems on a chip since the iPhone 4 in 2010. Initially based on ARM’s Cortex architecture, the A6 introduced in 2012 debuted an Apple-designed ARM CPU that has since been used in iPhones, iPads, and Apple TVs. It also makes a W series chip for wireless and networking, T series companion chips for the MacBook Pro and iMac Pro, and S series for Apple Watch.