Apples patches Intel bugs
Apple has released 173 patches across its hardware, including dangerous bugs in macOS for laptops and desktops, iPhone, Apple TV and Apple Watch. The update also includes a patch for the side-channel vulnerabilities in Intel chips disclosed on Tuesday, which open the door to ZombieLoad. All Mac laptops stretching back to 2011 are affected by the Intel flaws.
The patch includes four side-channel bugs that affect the microcode of macOS Mojave 10.14.4. These impact load ports, fill buffers, and store buffers in systems with microprocessors utilizing speculative execution. They stem from side-channel vulnerabilities, called Microarchitectural Data Sampling, or MDS, and impacts all modern Intel chips. Hackers can use speculative execution to potentially leak sensitive data from a system’s CPU.
A hacker with local user access can enable information disclosure via a side channel. Multiple information disclosure issues were addressed partially by updating the microcode and changing the OS scheduler to isolate the system from web content running in the browser. The four different attack vectors are dubbed ZombieLoad, Fallout, RIDL and Store-to-Leak Forwarding, and have been detailed and publicly disclosed on Tuesday. To completely address these issues, there are additional opt-in mitigations to disable hyper threading and enable microcode-based mitigations for all processes by default.
Apple also patched flaws in the operating systems that power its Macbooks and desktops. All of the bugs are in WebKit, and they can all be exploited via processing maliciously crafted web content. One flaw is an out-of-bounds read vulnerability. There are also 20 different memory corruption issues that may lead to arbitrary code execution. Apple highly recommends running these patches to mitigate security issues