Just a day after the disclosure of the deadly Spectre, Meltdown bugs in Intel, AMD and ARM-based processor chips, Apple has revealed that their all devices (iOS and macOS), which come integrated with one of the aforementioned branded chips are also vulnerable to the security breach.
However, the company allayed fears of its loyal consumers that there are no reported cases of any iPhones or MacBooks getting hacked so far. Guess what! Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Also, Apple Watch series is not affected by the Meltdown bug.
Apple has promised to roll-out security patch for Safari browser application to help defend against Spectre soon. Also, the company will continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Here's how Spectre and Meltdown bugs make devices vulnerable to security breach:
Spectre and Meltdown take advantage of "speculative execution," a technique used by most modern processors (CPUs) to optimise performance.
For those unaware, the CPU, in its bid to increase the performance, predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory such as passwords, encryption keys, or sensitive information, including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
Google Project Zero research team too conducted some test, which showed that a malicious app running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
How to protect your Apple devices from malware:
Even if your devices' chip has shortcomings, you can still be assured of malware free system by following the basic guidelines.
For PCs:
- Always keep your PCs updated with the latest firmware; most software companies including Microsoft and Apple usually send software updates regularly in terms of weekly or monthly, always make sure to update them immediately
- Make sure to use premium anti-virus software, which also provides malware protection and Internet security
- Never ever open email sent from unknown senders
- Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
- Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configurations
- Never ever install plugins (for browsers) and application softwares on the PCs from un-familiar publishers
- System administrators in corporate companies should establish a Sender Policy Framework (SPF) for their domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
For smartphones:
- Always keep your smartphone updated to the latest firmware. Most companies in collaboration with Google send software updates — especially security patches on priority basis and always make sure to update them immediately
- Make sure to use premium antivirus software, which also provides malware protection and internet security
- Never open emails sent from unknown senders
- Never install apps from unknown websites
- Never install apps from unfamiliar publishers even on Google Play (for Android phones) and Apple application store (for iPhones and iPads)