Class Action Lawsuit Against Apple Over Meltdown and Spectre Vulnerabilities Dismissed

Back in January 2018, a class action lawsuit was filed against Apple for the Meltdown and Spectre vulnerabilities that affected a wide range of processors from Intel and ARM, including those used in Apple's Macs and iOS devices.

Meltdown and Spectre were hardware-based vulnerabilities designed to take advantage of the speculative execution mechanism of a CPU, allowing hackers to gain access to sensitive information.


Apple quickly mitigated Spectre and Meltdown with software patches, but a class action complaint was filed against Apple alleging that Apple knew about the design defects in June 2017 and did not more promptly inform the public.

The complaint also suggested that Apple would not be able to adequately patch Meltdown and Spectre without slowing the performance of its processors by between five and 30 percent, a claim that turned out to be untrue.

As pointed out by AppleInsider, the class action lawsuit against Apple was today dismissed for "lack of standing and failure to state a claim."

According to the ruling, the plaintiffs in the case were not able to allege injury because none of their devices were accessed via Spectre or Meltdown and no degradation in performance was personally experienced by the plaintiffs.

Furthermore, the court said that even if some devices were affected by Meltdown and Spectre as evidenced in some of the benchmarks submitted by the plaintiffs, it does not suggest that all users experienced slower performance, nor were the plaintiffs able to prove that their iOS devices diminished in value.

Given these reasons, Apple's motion to dismiss was granted, though the plaintiffs in the lawsuit are able to provide an amended complaint by January 24, 2019.


This article, "Class Action Lawsuit Against Apple Over Meltdown and Spectre Vulnerabilities Dismissed" first appeared on MacRumors.com

Discuss this article in our forums

Intel Discloses New ‘Variant 4’ Spectre-Like Vulnerability

Intel, Google, and Microsoft today disclosed a new variant of the Spectre design flaw and security vulnerability that impacts millions of computers and mobile devices from a range of manufacturers.

Called Variant 4, or the Speculative Store Bypass, the vulnerability is similar to Spectre, taking advantage of the speculative execution mechanism of a CPU to allow hackers to gain access to sensitive information. Variant 4 was demonstrated by researchers in a language-based runtime environment.

CVE-2018-3639 - Speculative Store Bypass (SSB) - also known as Variant 4

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
According to Intel, the new vulnerability has a "moderate" severity rating because many of the exploits that it uses have already been addressed through mitigations that were first introduced by software makers and OEMs in January for Meltdown and Spectre. Intel is, however, releasing a full mitigation option that will "prevent this method from being used in other ways."

This additional mitigation for Variant 4 has been delivered in beta form to OEM system manufacturers and system software vendors, and Intel is leaving it up to its partners to decide whether or not to implement the extra measures. Intel plans to leave the mitigation set to off by default because of the potential for performance issues.
This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we've observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark(R) 2014 SE and SPEC integer rate on client1 and server2 test systems.
The Spectre and Meltdown family of vulnerabilities affect all modern processors from Intel, ARM, and AMD, but Intel has faced more scrutiny over the design flaw due to its high-profile position in the processor market. Apple's iOS and Mac devices are affected by these vulnerabilities, but Apple has historically been quick to patch them.

Prior to when Spectre and Meltdown were initially discovered, for example, Apple had already implemented some patches and has since addressed known Meltdown and Spectre vulnerabilities with little impact to performance on Macs or iOS devices. As mentioned above, many of the exploits in Variant 4 have been previously addressed by Apple and other manufacturers in already-existing software patches.

Spectre and Meltdown-related vulnerabilities are hardware-based and therefore must be mitigated rather than outright fixed, but future Intel chips will not be as vulnerable. Intel has said that its next-generation Xeon Scalable processors (Cascade Lake) and its 8th-generation Intel Core processors will feature redesigned components to protect against some Spectre and Meltdown flaws.


Discuss this article in our forums

Intel’s 8th-Gen Xeon and Core Processors Feature Redesigned Hardware to Address Spectre and Meltdown Vulnerabilities

Intel CEO Brian Krzanich today announced that its next-generation Xeon Scalable (Cascade Lake) processors and its 8th-generation Intel Core processors will feature redesigned components to protect against the Spectre and Meltdown vulnerabilities that affect all modern processors.

Spectre variant 1 of the vulnerabilities will continue to be addressed in software, while Intel is implementing hardware-based design changes to offer future protection against Spectre variant 2 and Meltdown variant 3.

We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3. Think of this partitioning as additional "protective walls" between applications and user privilege levels to create an obstacle for bad actors.
Intel's new Xeon Scalable processors and its 8th-generation Intel Core processors are expected to start shipping out to manufacturers in the second half of 2018.

Ahead of the hardware changes, Intel says that software-based microcode updates have now been issued for 100 percent of Intel products launched in the past five years, and all customers should make sure to continue to keep their systems up-to-date with software updates.


Krzanich also reaffirmed Intel's commitment to customer-first urgency, transparent and timely communications, and ongoing security reassurance.

Apple began addressing the Meltdown and Spectre vulnerabilities back in early January with the release of iOS 11.2, macOS 10.13.2, and tvOS 11.2, which introduced mitigations for Meltdown. Subsequent iOS 11.2.2 and macOS High Sierra 10.13.2 Supplemental updates introduced mitigations for Spectre, as did patches for both macOS Sierra and OS X El Capitan in older machines.

Apple's software mitigations for the vulnerabilities have not resulted in any significant measurable decline in performance.


Discuss this article in our forums

Apple Addresses Meltdown and Spectre in macOS Sierra and OS X El Capitan With New Security Update

Along with macOS High Sierra 10.13.3, Apple this morning released two new security updates that are designed to address the Meltdown and Spectre vulnerabilities on machines that continue to run macOS Sierra and OS X El Capitan.

As outlined in Apple's security support document, Security Update 2018-001 available for macOS Sierra 10.12.6 and OS X El Capitan 10.11.6 offers several mitigations for both Meltdown and Spectre, along with fixes for other security issues, and the updates should be installed immediately.


Apple addressed the Meltdown and Spectre vulnerabilities in macOS High Sierra with the release of macOS High Sierra 10.13.2, but older machines were left unprotected. Apple initially said a prior security update included fixes for the two older operating systems, but that information was later retracted.

Spectre and Meltdown are two hardware-based vulnerabilities that impact nearly all modern processors. Apple in early January confirmed that all of its Mac and iOS devices were impacted, but Meltdown mitigations were introduced ahead of when the vulnerabilities came to light in iOS 11.2 and macOS 10.13.2, and Spectre was addressed through Safari updates in iOS 11.2.2 and a macOS 10.13.2 Supplemental Update.

Spectre and Meltdown take advantage of the speculative execution mechanism of a CPU. As these use hardware-based flaws, operating system manufacturers are required to implement software workarounds. These software workarounds can impact processor performance, but according to Apple, the Meltdown fix has no measurable performance reduction across several benchmarks.

The Spectre Safari mitigations have "no measurable impact" on Speedometer and ARES-6 tests, and an impact of less than 2.5% on the JetStream benchmark.

Many PCs with Intel processors have been facing serious issues following the installation of patches with fixes for Meltdown and Spectre, but these problems do not appear to impact Apple's machines.

Related Roundup: macOS High Sierra

Discuss this article in our forums

Apple Releases macOS High Sierra 10.13.3 With Fix for Messages Bug

Apple today released macOS High Sierra 10.13.3, the third major update to the macOS High Sierra operating system available for Apple's Macs. macOS High Sierra 10.13.3 comes over a month after the release of macOS High Sierra 10.13.2 and a little over a week after a macOS High Sierra 10.13.2 supplemental update which brought a fix for the Spectre vulnerability.

macOS High Sierra 10.13.2 can be downloaded directly from the Mac App Store or through the Software Update function in the Mac App Store on all compatible Macs that are already running macOS High Sierra.


No major outward-facing changes were discovered in macOS High Sierra 10.13.3 during the beta testing period, but according to Apple's release notes, it brings security and feature improvements.

The update offers additional fixes for the Spectre and Meltdown vulnerabilities that were discovered and publicized in early January and initially fixed in macOS High Sierra 10.13.2.

We also know that the update fixes a bug that allowed the App Store menu in System Preferences to be unlocked with any password. Aside from those changes, Apple's release notes say that the update "addresses an issue that could cause Messages conversations to be temporarily listed out of order."

For more information on the macOS High Sierra operating system, make sure to check out our dedicated macOS High Sierra roundup.

Related Roundup: macOS High Sierra

Discuss this article in our forums

Apple Seeds Fifth Beta of macOS High Sierra 10.13.3 to Developers

Apple today seeded the fifth beta of an upcoming macOS High Sierra 10.13.3 update to developers, one week after seeding the fourth beta and more than a month after releasing macOS High Sierra 10.13.2, the second major update to the macOS High Sierra operating system.

The new macOS High Sierra 10.13.3 beta can be downloaded from the Apple Developer Center or through the Software Update mechanism in the Mac App Store with the proper profile installed.


It's not yet clear what improvements the macOS High Sierra 10.13.3 update will bring, but it's likely to include bug fixes and performance improvements for issues that weren't addressed in macOS High Sierra 10.13.2. It offers additional fixes for the Spectre and Meltdown vulnerabilities that were discovered and publicized in early January and fixed initially in macOS High Sierra 10.13.2.

The update also fixes a bug that allows the App Store menu in the System Preferences to be unlocked with any password.

The previous macOS High Sierra 10.13.2 update focused solely on security fixes and performance improvements, with no new features introduced, and a supplemental update introduced a fix for the Spectre vulnerability.

Related Roundup: macOS High Sierra

Discuss this article in our forums