Apple released iOS 11.2.2 software Monday for iPhones, iPads and iPod touch models that patch for the Spectre vulnerabilities. A macOS High Sierra 10.13.2 supplemental update was also released to bolster Spectre defenses in Apple’s Safari browser and WebKit, the web browser engine used by Safari, Mail, and App Store.
This is the second update for Apple since last week’s revelation of the massive processor vulnerabilities, Meltdown and Spectre, impacting CPU’s worldwide. Apple previously released mitigations against Meltdown with updates that included iOS 11.2, macOS and tvOS 11.2.
Monday’s three updates include macOS High Sierra 10.13.2 supplemental, Safari 11.0.2, and iOS 11.2.2. The updates “includes security improvements” to mitigate the two known methods for exploiting Spectre identified as variants “bounds check bypass” (CVE-2017-5753/Spectre/variant 1) and “branch target injection” (CVE-2017-5715/Spectre/variant 2).
Apple said the Safari 11.0.2 update is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6. The macOS High Sierra 10.13.2 supplemental update includes security updates for Safari and WebKit. iOS 11.2.2 is for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
According to experts, the Spectre vulnerability, variant is much more difficult attack to carry out than Meltdown because it breaks the isolation between different applications. But, at the same time, it will also be harder to patch.
There is also a greater sense of urgency with Spectre. A Meltdown attack scenario requires an attacker to already have a foothold on the targeted system. Spectre opens up certain types of remote attack scenarios such as browser-based attacks, according to researchers.
Last week Mozilla, along with Microsoft and Google, updated the code in their browsers to increase them time it takes to execute certain Java commands that could exploit the Spectre flaws, making it exponentially harder – but not impossible – to exploit.
“A JavaScript attack being able to pull memory contents of the browser and could result in pulling credentials and session keys, which bypasses a lot of a lot of security protections,” said Jimmy Graham, director of product management at Qualys in a previous interview with Threatpost.
Apple is not releasing any additional technical details of the patches, including what – if any – penalty patches may have on device performance.