Apple confirms Meltdown and Spectre vulnerabilities affect its products, but first fixes are already out
In a new knowledge base article, Apple has posted information about which products are affected by the widely publicized CPU vulnerabilities, and what the company has done and is going to do moving forward.
In a gist: the Mac, iPhone, and Apple TV are affected by the Meltdown exploit, but not Apple Watch. However, Apple has already released mitigations in iOS 11.2, MacOS 10.13.2, and TVOS 11.2 to help defend against Meltdown. In a separate support document, Apple has earlier said that MacOS Sierra 10.12.6 and OS X El Capitan 10.11.6 are also patched, but these two versions have since been removed from the list - in short, only MacOS High Sierra is patched at the moment.
Additionally, in the “coming days”, the Safari browser for MacOS and iOS is also getting mitigations to help defend against Spectre, which uses exploitation techniques different from Meltdown. Down the road, Apple will continue to develop and test further mitigations for these issues and release them in upcoming updates of iOS, MacOS, TVOS, and WatchOS.
Regarding the performance hit that the devices will take after applying the fixes, Apple says that its testing with public benchmarks has shown that the changes in the December 2017 updates for Meltdown resulted in “no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES–6.” And for the upcoming upcoming Safari mitigations for Spectre, there “will have no measurable impact on the Speedometer and ARES–6 tests and an impact of less than 2.5% on the JetStream benchmark.”
Update, Jan 6, 10 AM: Updated article to note that Apple hasn't patched Meltdown for MacOS Sierra 10.12.6 and OS X El Capitan 10.11.6.