Is there a Meltdown vulnerability fix already available for macOS?
While Apple has yet to comment on the flaw, Alex Ionescu, Windows security expert, noted a fix was present in a new 10.13.3 update to macOS.
source: How to Protect Yourself From Meltdown and Spectre, the Latest Processor Security Flaws
Meltdown
macOS patched December 6, 2017 in macOS 10.13.2
iOS patched December 2, 2017 in iOS 11.2
Apple patched CVE-2017-5754 (Meltdown) in macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan. (Support Article HT208331)
Spectre
As of January 8th, Apple has released updates for Safari on macOS and iOS to minimize the effectiveness of Spectre. (Support Article HT208394) Note that Spectre cannot be "patched", only more difficult to execute.
As posted in another, similar security related post, it's Apple's policy to not comment on security vulnerabilities until they are patched, and even when they do, they are often quite vague about it.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
So, the comment in the linked article, should be viewed with (little) skepticism:
While Apple has yet to comment on the flaw, Alex Ionescu, Windows security expert, noted a fix was present in a new 10.13.3 update to macOS.
However, with a little detective work, we can gain some insight. Looking at the CVEs assigned to this particular vulnerability,* we can get listing of the issues that should be addressed by Apple when they decide to issue a security patch: There are three CVE's assigned to these issues:
-
CVE-2017-5753 and CVE-2017-5715 are assigned to Spectre. There's currently no patch available. However, according to Apple, the vulnerability is "very difficult to exploit" but can be done via Javascript. As such, they will issue an update for Safari on macOS and iOS in the future
Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.
CVE-2017-5754 is assigned to Meltdown. This has been patched with macOS High Sierra 10.13.2 ONLY. Sierra and El Capitan are not yet patched.
TL;DR
Meltdown has been patched in the most recent updates to macOS High Sierra. Sierra and El Capitan are currently unpatched
Spectre is unpatched, but very difficult to execute though it can be exploited in Javascript. Ensure you update your browsers (like Firefox, Chrome, etc.) when and where applicable in addition to the updates provided from Apple.
*Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cyber security vulnerabilities. Use of "CVE Identifiers (CVE IDs)," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation.