Apple Releases Patch for Speculative Execution Vulnerabilities in Intel CPUs

[DrMacintosh]

Similar to what Google has done with Chrome OS, Apple has now published a patch for Safari and provided documentation on how to disable hyper threading on all Macs through Terminal. 

 

Quote

macOS Mojave 10.14.5 fixes this issue for Safari with no measurable performance impact.¹ This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari.

 

Customers can also protect their Mac by updating security settings in macOS to download apps only from the App Store. This setting helps prevent the installation of apps that could potentially exploit these vulnerabilities. All apps from the App Store are signed by Apple to ensure that they haven’t been tampered with or altered. Learn how to view and change app security settings on your Mac.

 

The OS update patches the flaw in Intel CPUs through Safari, and Apple recommends installing only Apps from the Mac App Store to avoid potential risks. However for users who use applications from outside the App Store and are concerned about these vulnerabilities, Apple suggests disabling hyper-threading. 

 

Quote

customers with computers at heightened risk or who run untrusted software on their Mac can optionally enable full mitigation to prevent harmful apps from exploiting these vulnerabilities. Full mitigation requires using the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology. 

These security updates have been rolled out and are available to Macs running Mojave, High-Sierra, and Sierra. 

 

The following Macs are not compatible with the security updates due to Intel not providing the necessary micro-code at this time:

• MacBook (13-inch, Late 2009)
• MacBook (13-inch, Mid 2010)
• MacBook Air (13-inch, Late 2010)
• MacBook Air (11-inch, Late 2010)
• MacBook Pro (17-inch, Mid 2010)
• MacBook Pro (15-inch, Mid 2010)
• MacBook Pro (13-inch, Mid 2010)
• iMac (21.5-inch, Late 2009)
• iMac (27-inch, Late 2009)
• iMac (21.5-inch, Mid 2010)
• iMac (27-inch, Mid 2010)
• Mac mini (Mid 2010)
• Mac Pro (Late 2010)

All other Mac's should be able to update and take advantage of the fix in Safari as well as the optional hyper-threading fix.

 

According to internal testing, disabling hyper-threading can lead to up to a 40% drop in performance.

Quote

macOS performance: Testing conducted by Apple in May 2019 showed as much as a 40% reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.

 

It is rather unfortunate that Intel CPUs have been plagued by so many security vulnerabilities and the latest has resulted in having to knee-cap your CPU to nearly half of its performance just to fix the exploit.

 

I can't help but wonder how mad Tim Cook and Dan Riccio (head of Hardware Engineering at Apple) are with Intel at these recent developments. All of this makes we wonder if anyone at Apple is looking into the possibility of building Ryzen based Macs seeing as they are currently not vulnerable to these security exploits that are massively hurting the performance of not just Macs, but all Intel based computers. 

 

I can't say I would mind seeing a Treadripper based Mac Pro or Ryzen based Mac Mini.

 

 Source: https://support.apple.com/en-us/HT210107

 

[Origami Cactus]

I would like to see Ryzen powered Apple computers, especially if the ryzen 3000 series turns out to be a great success.

[captain_to_fire]

I know that FCP X relies more on Quick Sync but I’m sure it’s also a multi-threaded process, does it mean it’s slower now? 

4 minutes ago, DrMacintosh said:

can't help but wonder how mad Tim Cook and Dan Riccio (head of Hardware Engineering at Apple) are with Intel at these recent developments. All of this makes we wonder if anyone at Apple is looking into the possibility of building Ryzen based Macs seeing as they are currently not vulnerable to these security exploits that are massively hurting the performance of not just Macs, but all Intel based computers. 

Wouldn’t AMD’s SMT fall to a similar vulnerability in the future? Sure Intel is getting a lot of flack now from 14nm+++++++  to security vulnerabilities but then, anything compiled by man is vulnerable. It’s only a matter of time before someone exploits it, just look at Spectre where CPUs from 20 years ago until 2018 x86 CPUs are affected. 

[DrMacintosh]

1 minute ago, captain_to_fire said:

know that FCP X relies more on Quick Sync but I’m sure it’s also a multi-threaded process, does it mean it’s slower now

If you disabled hyper-threading, yes you would lose performance. 10.14.5 does not automatically gimp performance. 

[justpoet]

1 minute ago, captain_to_fire said:

Wouldn’t AMD’s SMT fall to a similar vulnerability in the future? Sure Intel is getting a lot of flack now from 14nm+++++++  to security vulnerabilities but then, anything compiled by man is vulnerable. It’s only a matter of time before someone exploits it, just look at Spectre where CPUs from 20 years ago until 2018 x86 CPUs are affected. 

Potentially, but a lot of these have been specific to the intel implementations that have been designed more aggressively in the past.  That's why you've seen a couple include AMD/ARM processors, but many have been intel only.

[captain_to_fire]

Also, Microsoft’s patch Tuesday includes this. Just saying. https://support.microsoft.com/en-ph/help/4494441/windows-10-update-kb4494441

Quote

• Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions).

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013

 

[Bouzoo]

Two days ago I didn't have a single update, now I am in the middle of installing 2nd update and that is not even 10.14.5. And one update showed message it failed to install but somehow it actually did install. Just wow. 

[DrMacintosh]

22 minutes ago, Bouzoo said:

Two days ago I didn't have a single update, now I am in the middle of installing 2nd update and that is not even 10.14.5. And one update showed message it failed to install but somehow it actually did install. Just wow. 

macOS has the tendency to do that. I usually restart my machine before updating because my MacBook has so much uptime. Sometimes going weeks without ever being shut down. 

[RejZoR]

1 hour ago, Origami Cactus said:

I would like to see Ryzen powered Apple computers, especially if the ryzen 3000 series turns out to be a great success.

I don't think that's going to happen. Apple is probably planning to migrate to ARM based systems.

[DrMacintosh]

3 minutes ago, RejZoR said:

I don't think that's going to happen. Apple is probably planning to migrate to ARM based systems.

That’s not feasibly possible at least within the next 5 years probably. Marzipan isn’t ready for that, nor is it the goal. 

 

Im sure we will see ARM based Macs, but it’s going to be a lot more messy than the switch from PPC to x86 was. 

[Drak3]

4 minutes ago, RejZoR said:

Apple is probably planning to migrate to ARM based systems.

Maybe on low end systems, but ARM can't compete against x86 in every sector of every market.