Apple logo

Apple has finally released an official statement on the company's mitigations status regarding the recently disclosed Meltdown and Spectre vulnerabilities.

Without mincing words, the Cupertino-based company says that "all Mac systems and iOS devices are affected" by the two vulnerabilities.

Below is a summary of Apple's statement regarding the two flaws that affect the vast majority of processors released in the past two decades.


Apple says that mitigations against the Meltdown flaw, currently known to affect only devices using Intel CPUs, has been quietly deployed in iOS 11.2, macOS 10.13.2, and tvOS 11.2.

Apple Watch is not affected by the Meltdown flaw, the company said.

Intel's PR department has been trying its best to dispell rumors that Meltdown patches cause performance dips for its CPUs. According to Apple's engineers, there was no "no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6."


No Apple product has patches to protect against the Spectre flaws but the company promised updates for iOS, macOS, tvOS, and watchOS.

Nonetheless, the first product to receive Spectre patches will be Safari, on both macOS and iOS. The update is expected in the coming days.

The hurry to patch Spectre on Safari comes from the fact that Spectre can be exploited via JavaScript code, just by accessing a website or viewing a malicious ad. Based on currently available information, Meltdown can't be exploited via JavaScript

What are Meltdown and Spectre

Google engineers, who discovered Meltdown and Spectre, described the two attacks as follows:

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Google says it chose the Meltdown name to describe the attack because "the bug basically melts security boundaries which are normally enforced by the hardware."

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

"The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time," Google says. "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate," hence why Apple has yet to release patches, and why Spectre patches on Windows require additional motherboard/CPU firmware updates. Spectre is know to affect CPUs from Intel, AMD, and ARM.

For a list of updates and security advisories regarding the Meltdown and Spectre bugs, Bleeping Computer has a separate article here.