Though Intel, Google, ARM, and Microsoft rushed to issue both public statements and patches addressing the Meltdown and Spectre processor security exploits, Apple took the opposite tack, waiting more than a day to quietly downplay the gigantic story using a tech support document, without a corresponding press release or public statement. In short, the number of affected Apple products is huge, and the company doesn’t yet have fixes ready for all of them, but it’s working on them — there’s no need to worry.
The particularly bad news for Apple and its users: “All Mac systems and iOS devices are affected,” according to the support document. This stunningly broad admission erases any ambiguity as to whether Apple’s custom-designed A-series chips and more recent products were protected — they were not. Worse: tvOS devices and Apple Watches running on Apple-designed chips also appear to be affected, though with varied vulnerabilities.
On the other hand, Apple was ahead of its rivals in saying that “there are no known exploits impacting customers at this time.” Apple has already patched its iOS, macOS, and tvOS operating systems against Meltdown, which means that any device running iOS 11.2, macOS 10.13.2, or tvOS 11.2 was partially protected before most people knew there were issues worthy of concern. Additionally, Apple plans to patch its Safari browser “in the coming days” to address Spectre, suggesting complete fixes for current macOS and iOS devices aren’t far off.
Unfortunately, there are tens if not hundreds of millions of older Apple devices in the marketplace that can’t run Apple’s latest OSes and browsers, and it’s unclear what Apple will do to secure them. Intel drew a clear line in its announcement, providing timetables for protection of processors five years old or newer; ARM offered patches across Cortex processors regardless of age. Apple’s silence on this question isn’t exactly reassuring — will older Apple products receive security patches?
Additionally, the risk to Apple Watches and tvOS devices remains somewhat ambiguous. Apple explicitly says that the Apple Watch isn’t affected by the Meltdown vulnerability, but leaves open the prospect that it could be affected by Spectre. Since Apple is addressing Spectre with Safari patches on macOS and iOS, but neither the Apple Watch nor Apple TVs have a Safari app, the solution there isn’t clear. It appears that Apple may patch tvOS and watchOS to address Spectre, instead.
If there’s any silver lining in Apple’s announcement, it’s that performance impacts to Macs and iOS devices are said to be non-existent or small. Apple notes that benchmarks show “no measurable reduction” in macOS or iOS performance after the Meltdown patch, and that upcoming Safari patches will have either “no measurable impact” or “an impact of less than 2.5 percent,” depending on the benchmark. But again, nothing is said about the Apple Watch and Apple TV, both of which historically suffered from sluggish performance before receiving processor upgrades.
Like other OS vendors, Apple promises to release “further mitigations for these issues” in future iOS, macOS, tvOS, and watchOS updates. Hopefully the initial Spectre patches fare as well as the Meltdown ones, and Apple announces solutions for owners of older and less common devices, as well.