Security threats to computer chips- how to proceed?

Been following the stories for a few days. Sufficiently impressed that this isn’t just a Chicken Little situation.

Here’s the thing. I use an Android phone. I asked it to look for software updates a few days ago. No updates were offered.

I also use a Macintosh. ( OS-X 10.12.6 Sierra ). Cannot find an update that dates from this week.

This CNN article details the overall story, with links..

This security note linked in the above CNN article is from a Carnegie Mellon University center and details the issues.

No fixes. No patches to download.

You cannot splash shit around on the media, with huge font screaming headlines that read " UPDATE YOUR SOFTWARE TODAY. SERIOUSLY ", without providing the fucking patches or downloads.

Anyone actually found the appropriate patches and updates? I for one would be interested in seeing them and downloading them.

OS X 10.13.2 has a mitigation patch.

Apple’s recent update on the situation:

Android is more complex, it’s dependent on the how old the phone/OS is and which company controls the updates (e.g. Google, Verizon, etc.).

Article with some phone/tablet info:

“How can it be fixed in non-Google phones?
Just like Meltdown, Spectre can only be mitigated via software. Some newer Android phones (such as certain versions of the Samsung Galaxy S8 and Note 8) have already received Google’s December security update, and other manufacturers should start pushing out their own updates within the next few weeks, as well as Apple’s iOS devices. However, many Android phones will likely remain vulnerable.”

"However, even if you have a phone that’s vulnerable, Google notes that “exploitation has been shown to be difficult and limited on the majority of Android devices.”

Eeech. As usual, Apple demands that I upgrade to their new software in order to get the patch. They refuse to make the patch insertable into 10.12.6 What a shocker. :dubious::dubious::dubious:

That said, I have to assume it’s better to upgrade and deal with the failed software packages, slower operation due to greater RAM hunger from 10.13, etc - than it is to have everything I’ve ever done on my Mac available.

Of course, it already is, but still.

Thank you for the detailed information. Much appreciated.

Here’s a security page that has links to all major vendors and their statements:

Ongoing discussion in this MPSIMS thread.

Sorry to be the dull crayon in this box, but, how do I get a mitigation patch? I’m running 10.13.2 (and IOS 11.2.1) and the only thing I know how to do is use Settings or the App Store to check for updates – both systems report they are up to date, no updates available.

A patch isn’t an update, I guess, but where do patches live?

The way I explain it to people, and this isn’t friendly, or satisfying, is that by agreeing to use a Mac and MacOS, you’ve also agreed to be at the mercy of Apple, and what version of the operating system they are willing to support. This unfortunately includes being forced to accept updates you don’t want in order to continue to use a safe and secure system.

I know “agree” might not be what is actually happening, in that you may be forced to run MacOS (or Windows, or whatever) because that is what you need, but the bargain doesn’t change.

Anyway, 10.12 might still be patched. The security notes for the latest patch aren’t entirely clear if 10.12 is as protected as 10.13. I brief web search suggests that Apple supports each OS version for 3 years from release date, but I didn’t see that directly from Apple. Considering how new 10.13 is, I’m sure 10.12 is still receiving updates.

As for Android, well, sorry. Security updates on Android are generally a disaster, because phone manufacturers and carriers don’t take it seriously, and some manufacturers stop updating phones shortly after they’re released. Fortunately, unless you’re using one of the very few phones with an Intel processor (some Asus Zenfone 2 models, any others?) then you are probably not subject to the more serious meltdown vulnerability. Some ARM based processors are vulnerable, so it isn’t a sure thing.

In this case people are using patch and update interchangeably. Continue to get updates in whatever is the standard method on your system. Apply them when convenient, but don’t put it off too long. Updates are important to apply because they usually fix known problems. Sometimes they introduce new problems, too. Life’s not fair.

But I hear above Apple has a mitigation patch, and the App Store tells me there are no updates available.

If you have updated to 10.13.2, you have the patch.

I have 10.12.6 and I detest the idea that I have to upgrade to High Sierra - which is as blatant a nod to Northern California pot culture if ever there was one.

But, I also want that patch.

Damn.

I’d just wait and see if Apple rolls out a patch for earlier OSes.

The name is not intended as a nod to pot culture. It’s generally accepted that when Apple releases a yearly update that doesn’t have too many user-facing features or most of the changes are under-the-hood refinements, they use a variation of the name from the previous update instead of giving it a brand new name. So from Leopard, we got Snow Leopard. From Lion, we got Mountain Lion. And now from Sierra, we get High Sierra. Craig Federighi made a joke about the name being “fully baked” at WWDC but that was clearly just keynote patter to acknowledge that some people could misconstrue the name.