While Intel, Google, ARM, and Microsoft rushed to issue both public statements and patches addressing the Meltdown and Spectre processor security exploits, Apple took the opposite tack, waiting more than a day to quietly downplay the gigantic story using a tech support document, without a corresponding press release or public statement. In short, the number of affected Apple products is huge, and the company doesn’t yet have fixes ready for all of them, but it’s working on them — there’s no need to worry.
The particularly bad news for Apple and its users: “All Mac systems and iOS devices are affected,” according to the support document. This stunningly broad admission erases any ambiguity as to whether Apple’s custom-designed A-series chips and more recent products were protected — they were not. Worse: tvOS devices* running on Apple-designed chips also appear to be affected, though with varied vulnerabilities.
On the other hand, Apple was ahead of its rivals in saying that “there are no known exploits impacting customers at this time.” Apple has already patched its iOS, macOS, and tvOS operating systems against Meltdown, which means that any device running iOS 11.2, macOS 10.13.2, or tvOS 11.2 was partially protected before most people knew there were issues worthy of concern. Additionally, Apple plans to patch its Safari browser “in the coming days” to address Spectre, suggesting complete fixes for current macOS and iOS devices aren’t far off.
Unfortunately, there are tens if not hundreds of millions of older Apple devices in the marketplace that can’t run Apple’s latest operating systems and browsers, and it’s unclear what Apple will do to secure them. Intel drew a clear line in its announcement, providing timetables for protection of processors five years old or newer; ARM offered patches across Cortex processors regardless of age. Apple’s silence on this question isn’t exactly reassuring — will older Apple products receive security patches?
Additionally, the risk to tvOS devices remains somewhat ambiguous. Since Apple is addressing Spectre with Safari patches on macOS and iOS, but Apple TVs don’t have a Safari app, the solution there isn’t clear. It appears Apple will patch tvOS itself to address Spectre.
If there’s any silver lining in Apple’s announcement, it’s that performance impacts to Macs and iOS devices are said to be non-existent or small. Apple notes that benchmarks show “no measurable reduction” in macOS or iOS performance after the Meltdown patch and that upcoming Safari patches will have either “no measurable impact” or “an impact of less than 2.5 percent,” depending on the benchmark. But again, nothing is said about the Apple Watch and Apple TV, both of which historically suffered from sluggish performance before receiving processor upgrades.
Like other OS vendors, Apple promises to release “further mitigations for these issues” in future iOS, macOS, and tvOS updates. Hopefully, the initial Spectre patches will fare as well as the Meltdown ones and Apple will announce solutions for older and less common devices, as well.
Update at 10:48 a.m. Pacific: Apple changed its announcement on January 5 to note that Apple Watches are not affected by either Meltdown or Spectre, after saying on January 4 only that Watches were unaffected by Meltdown. We’ve updated this article to reflect the change.