Os X Patch For Meltdown
Jan 25, 2018 This security update patched all versions of OS X El Capitan against the Meltdown exploit (CVE-2017-5754). Outstanding Apple Spectre + Meltdown Patches. From what we understand, these are the likely Apple Spectre and Meltdown patches that are still outstanding, and will eventually be released: A Meltdown patch for macOS High Sierra. Jan 10, 2018 Meltdown-Spectre: IBM preps firmware and OS fixes for vulnerable Power CPUs. IBM confirms its Power CPUs for datacenter kit are vulnerable to the Meltdown and Spectre CPU attacks.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
Released December 6, 2017
APFS
Available for: macOS High Sierra 10.13.1
Impact: APFS encryption keys may not be securely deleted after hibernating
Description: A logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.
CVE-2017-13887: David Ryskalczyk
Entry added June 21, 2018
apache
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory
Description: Multiple issues were addressed by updating to version 2.4.28.
CVE-2017-9798: Hanno Böck
Entry updated December 18, 2018
Auto Unlock
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2017-13905: Samuel Groß (@5aelo)
Entry added October 18, 2018
CFNetwork Session
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative
Entry added January 22, 2018
Contacts
Available for: macOS High Sierra 10.13.1
Impact: Sharing contact information may lead to unexpected data sharing
Description: An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information.
CVE-2017-13892: Ryan Manly of Glenbrook High School District 225
Entry added October 18, 2018
CoreAnimation
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with elevated privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative
Entry added January 22, 2018
CoreFoundation
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
CVE-2017-7151: Samuel Groß (@5aelo)
Entry added October 18, 2018
curl
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory
Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.
CVE-2017-1000254: Max Dymond
Directory Utility
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
ICU
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: An integer overflow was addressed through improved input validation.
CVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab
Entry added March 14, 2018
Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13883: Yu Wang of Didi Research America
CVE-2017-7163: Yu Wang of Didi Research America
CVE-2017-7155: Yu Wang of Didi Research America
Entry updated December 21, 2017
Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
CVE-2017-13878: Ian Beer of Google Project Zero
Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Windows 10 Meltdown Patch
Impact: An application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-13875: Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7159: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)
Entry updated December 21, 2017
IOKit
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-13848: Alex Plaskett of MWR InfoSecurity
CVE-2017-13858: an anonymous researcher
IOKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2017-13847: Ian Beer of Google Project Zero
IOKit
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative
Entry updated January 10, 2018
Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13904: Kevin Backhouse of Semmle Ltd.
Entry added February 14, 2018
Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read kernel memory (Meltdown)
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)
Entry updated January 5, 2018
Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple
CVE-2017-13867: Ian Beer of Google Project Zero
Entry updated December 21, 2017
Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-7173: Brandon Azad
Entry updated January 11, 2018
Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13876: Ian Beer of Google Project Zero
Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero
Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero
Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero
Kernel
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-7154: Jann Horn of Google Project Zero
Entry added December 21, 2017
Available for: macOS High Sierra 10.13.1
Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-13871: Lukas Pitschl of GPGTools
Entry updated December 21, 2017
Mail Drafts
Available for: macOS High Sierra 10.13.1
Impact: An attacker with a privileged network position may be able to intercept mail
As a matter of fact, writing to NTFS on Apple is possible since Mac OS 10.6 without any third-party NTFS driver, but the NTFS writing support is disabled by default. Therefore, SL-NTFS is used as an interface on the Apple NTFS driver to enable writing to NTFS drives on Mac. As a free NTFS for Mac app, SL-NTFS has some pros as followings: It is. 
Description: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.
CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH
Entry updated January 10, 2018
OpenSSL
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.
CVE-2017-3735: found by OSS-Fuzz
Perl
Available for: macOS Sierra 10.12.6
Impact: This bugs can allow remote attackers to cause a denial of service
Description: Public CVE-2017-12837 was addressed by updating the function in Perl 5.18
CVE-2017-12837: Jakub Wilk
Entry added October 18, 2018
Screen Sharing Server
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1
Impact: A user with screen sharing access may be able to access any file readable by root
Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.
CVE-2017-7158: Trevor Jacques of Toronto
Entry updated December 21, 2017
SIP
Available for: macOS High Sierra 10.13.1
Windows Server Meltdown Patch
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A configuration issue was addressed with additional restrictions.
CVE-2017-13911: Timothy Perfitt of Twocanoes Software
Entry updated August 8, 2018, updated September 25, 2018
Wi-Fi
Available for: macOS High Sierra 10.13.1
Impact: An unprivileged user may change WiFi system parameters leading to denial of service
Description: An access issue existed with privileged WiFi system configuration. This issue was addressed with additional restrictions.
CVE-2017-13886: David Kreitschmann and Matthias Schulz of Secure Mobile Networking Lab at TU Darmstadt
Entry added May 2, 2018
Additional recognition
We would like to acknowledge Jon Bottarini of HackerOne for their assistance.
Entry added February 6, 2020
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at the time of this writing. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Security updates for macOS Sierra and OS X El Capitan also include mitigations for Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre.
We continue to develop and test further mitigations for these issues.
Background
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
Meltdown
Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or 'rogue data cache load.' The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and also in Security Update 2018-001 for macOS Sierra and Security Update 2018-001 for OS X El Capitan. watchOS did not require mitigation.
Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.
Spectre
Spectre is a name covering multiple different exploitation techniques, including—at the time of this writing—CVE-2017-5753 or 'bounds check bypass,' and CVE-2017-5715 or 'branch target injection,' and CVE-2018-3639 or “speculative bounds bypass.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. On January 8th Apple released updates for Safari on macOS and iOS to mitigate such timing-based techniques. Testing performed when the Safari mitigations were released indicated that the mitigations had no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques. watchOS is unaffected by Spectre.