It emerged this week that tech companies have been racing to fix the Meltdown and Spectre bugs, that could allow hackers to steal data.

Apple said it had already released some patches but there was no evidence that the vulnerability had been exploited.

But it advised downloading software only from trusted sources to avoid “malicious” apps.

Mac users have often believed that their devices and operating systems are less vulnerable to security issues than, for example Android phones or computers running Microsoft systems.

But the Meltdown and Spectre flaws are found in all modern computer processing units – or microchips – made by Intel and ARM, and together the firms supply almost the entire global computer market.

“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” Apple said in blog post on the issue.

“These issues apply to all modern processors and affect nearly all computing devices and operating systems.”

Apple said it had already released “mitigations” against Meltdown in its latest iPhones and iPad operating system update – iOS 11.2 and the macOS 10.12.2 for its MacBooks and iMacs.

Meltdown does not affect the Apple Watch, it said, as the bug was an issue with Intel processors which are not contained in that device.

Patches against Spectre, in the form of an update to web browser Safari, will be released “in the coming days”.

Google and Microsoft have already issued statements telling users which products are affected by the bugs.

Google said its Android phones – which make up more than 80% of the global market – were protected if users had the latest security updates.

And Microsoft has already released fixes for many of its services.

–

Source: BBC

The post All Mac devices affected by chip flaws – Apple appeared first on Citi 97.3 FM - Relevant Radio. Always.

The bug meant anyone with physical access to a Mac running High Sierra could get admin access to the machine.

Wired magazine has found that the bug returns if Mac owners upgrade to the latest version of High Sierra after applying the patch.

Apple issued an apology for the appearance of the bug saying its users “deserved better”.

Proper patch

The bug let anyone obtain high-level access to a Mac simply by typing the username “root” and leaving the password field blank.

The problem was present on Mac computers running version 10.13. and 10.13.1 of the latest version of Apple’s operating system known as High Sierra.

Apple produced a patch to close the loophole less than a day after it was first reported.

Now it has emerged that the order in which people installed updates and patches for their Mac can mean the problem is not fixed.

The bug would still be present on a Mac that:

• was running High Sierra 10.13
• applied the security patch
• upgraded to High Sierra 10.13.1
• had not been rebooted

“You could easily have someone who doesn’t reboot their computer for months,” Thomas Reed, a security researcher at Malwarebytes, told Wired. “That’s not a good thing.”

Writing in Wired, Andy Greenberg said it was “not clear” how many users might be exposed by this particular set of circumstances.

Apple has yet to respond to a request for comment about the circumstances under which the root bug would reappear.

However, Apple’s support page about the loophole stresses the importance of making sure that the security patch is “applied properly”.

–

Source: BBC

The post Apple Mac security issue may reoccur appeared first on Citi 97.3 FM - Relevant Radio. Always.

Duo Security found that 4.2% of the 74,000 Macs it tested ran insecure versions of software that helps get the machines running.

It said the figure was likely to be replicated in the global population of Macs and worse on PCs.

Apple welcomed the research and said it was improving how it updated machines.

In its research, Duo Security looked at the versions of a type of software known as the extensible firmware interface (EFI) on a large population of Apple Mac computers currently in use.

“It’s the first bit of code that runs when you press the power button,” said Rich Smith, Duo’s director of security.

Complete control

Many Macs Duo tested had never had their EFI updated, he said, and some were using old versions of the code even though they were up to date with operating system and application security patches.

“It’s a silent failure because the user or administrator is never notified,” he said, adding that it was not clear what had stopped some machines updating their EFI correctly.

Attacks via the EFI were rare, said Mr Smith, because attackers typically had faster or more lucrative ways to steal cash from victims.

However, the most “sophisticated” attackers were likely to use them because they gave them deep access to a target system.

“You can do anything from there and circumvent any of the controls that are higher in the system,” he said.

Several researchers had developed EFI attacks that some nation states were known to copy, he said.

In a statement, Apple said it “appreciated” the work Duo did highlighting what it called an “industry-wide” issue.

“Apple continues to work diligently in the area of firmware security and we’re always exploring ways to make our systems even more secure,” it said. The newest version of its Mac operating system, called High Sierra, applies weekly checks to ensure machines have an up-to-date EFI.

Mr Smith agreed that every computer maker could do better at handling EFI updates.

“The problems we found with Apple are indicative of an industry-wide problem,” he said. “On the PC we expect the situation to be quite a lot worse.”

–

Source: BBC

The post Apple Macs and PCs at risk from boot bug appeared first on Citi 97.3 FM - Relevant Radio. Always.