Apple has released an updated version of its operating system software to fix a major microchip security flaw that affected nearly all computer chips made in the last decade.
Last week, Alphabet Inc’s Google and other security researchers disclosed two major chip flaws, one called Meltdown affecting only Intel Corp chips and one called Spectre, that left computing devices vulnerable to hackers.
‘iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre,’ the firm said.
The technology giant also released software updates for its Mac, Apple TV and Apple Watch.
The iPhone maker had said on Thursday it will release a patch for the Safari web browser on its iPhones, iPads and Macs.
Apple had also said that there were no known instances of hackers taking advantage of the flaw.
‘For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,’ the company said on its website.
The iOS update is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, it said.
Every iPhone, iPad and Mac device could be at risk of being hacked, it had previosuly warned.
Apple confirmed last week that almost all of its devices are affected by Intel and Arm chip ‘design flaws’ that could expose billions of people’s personal data to cyber criminals.
The flaws leave the devices open to the devastating ‘Meltdown’ and ‘Spectre’ bugs, discovered by security researchers.
The tech company has warned its customers to only download software for its platforms from trusted sources, like the App Store.
Apple says it has already put measures in place to help protect its customers from Meltdown and more will be released in the coming days.
The firm today released further measures for its Safari web browser to help defend against Spectre.
Browser makers Google, Microsoft Corp and Mozilla Corp’s Firefox all confirmed to Reuters that the patches they currently have in place do not protect iOS users.
With Safari and virtually all other popular browsers not patched, hundreds of millions of iPhone and iPad users may have no secure means of browsing the web until Apple issues its patch.
Apple stressed that there were no known instances of hackers taking advantage of the flaw to date.
In a written statement last week, Apple said: ‘All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.
‘Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.
‘We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.’
Tech firms have been aware of the bugs since last year, with chip manufacturer Intel informed in June 2017, but the finds have only just gone public.
Apple remained silent for more than a day about the fate of the hundreds of millions of users of its products.
Ben Johnson, co-founder and chief strategist for cyber security firm Carbon Black, said the delay in updating customers about whether Apple’s devices are at risk could affect Apple’s drive to get more business customers to adopt its hardware.
Speaking to Reuters, he said: ‘Something this severe gets the attention of all the employees and executives at a company, and when they go asking the IT and security people about it and security doesn’t have an answer for iPhones and iPads, it just doesn’t give a whole lot of confidence.’
Measures released in iOS 11.2, macOS 10.13.2, and tvOS 11.2 will to help defend against Meltdown, according to Apple.
Apple Watch is not affected by the issue.
Benchmark tests taken in December showed that the updates had no effect on performance, a spokesman for Cupertino-based company said.
These are expected to cause system slowdowns of around 2.5 per cent.
Security researchers at Google’s Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, exposed the two flaws this week.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory.
It was first discovered by Project Zero in June last year, when expert Jann Horn found that passwords, encryption keys, and sensitive information open in applications that should have been protected could be accessed.
A second bug, called Spectre, affects chips from Intel, AMD and Arm.
This lets hackers potentially trick otherwise error-free applications into giving up secret information.
Project Zero disclosed the Meltdown vulnerability not long after Intel said it’s working to patch it.
Intel says the average computer user won’t experience significant slowdowns as it’s fixed.
Tech companies typically withhold details about security problems until fixes are available, so that hackers don’t have a roadmap to exploit the flaws.
Both Intel and Google said they were planning to disclose the issue next week, when fixes will be available.
But Intel was forced to come clean about the problem yesterday after news of the flaw became public.
In an interview with CNBC yesterday, Intel CEO Brian Krzanich said: ‘We’ve found no instances of anybody actually executing this exploit.
‘Phones, PCs, everything are going to have some impact, but it´ll vary from product to product.’
However, clips on social media claim to show computer security experts using the exploit.
Michael Schwarz, who has a PhD in information security, posted on Twitter ‘Using #Meltdown to steal passwords in real time’, along with a GIF animation of the procedure.
Researchers say Apple and Microsoft have patches ready for users for desktop computers affected by Meltdown.
Microsoft declined to comment and Apple did not immediately return requests for comment.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it ‘probably one of the worst CPU bugs ever found’ in an interview with Reuters.
Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.
Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.
Intel’s CEO said Google researchers told Intel of the flaws ‘a while ago’ and that Intel had been testing fixes that device makers who use its chips will push out next week.
Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on January 9.
Google said it informed the affected companies about the ‘Spectre’ flaw on June 1, 2017 and reported the ‘Meltdown’ flaw after the first flaw but before July 28, 2017.
The flaws were first reported by tech publication The Register.
It also reported that the updates to fix the problems could causes Intel chips to operate five to 30 per cent more slowly, with some experts claiming this could be more like 50 percent.