Why you need to update iOS 11.2.2 :
On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late. (If you need a full rundown about what these processor bugs entail and how they work.
This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data.
There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well.
Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix.
So if we got a Spectre patch yesterday and Spectre’s a lower priority, where is the fix for Meltdown? After all, Meltdown is not mitigated by this iOS patch. That’s because Apple already released an update to mitigate Meltdown: The Meltdown fix was in the iOS 11.2 update back in December, though we didn’t know it at the time. (If you check the iOS 11.2 patch notes, you’ll see that the full details on the Kernel-level update, and the CVE addressed, were only added on 4 January.)
In fact, the vast majority of us didn’t know about Meltdown’s existence until January. However, according to the official Meltdown research paper, the researchers who discovered Meltdown were able to effectively work within a responsible disclosure period with vendors to get patches out for OSX, Windows and Linux prior to public disclosure. So kudos to all involved there and hooray for coordinated disclosure.
If you’re an iOS user on iPhone or iPad, this iOS 11.2.2 update should already be available to you to download and install – as always, we recommend you patch as soon as you can. Hopefully you’ve already applied the December iOS 11.2 update to get the fix for Meltdown!
Apple says :
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
We would like to acknowledge Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61 for their assistance.