Back in January 2018, news of the Spectre and Meltdown vulnerabilities took the world by surprise. Several independent research groups began publishing details about the speculative execution vulnerabilities. The flaws affected various processor architectures, most notably Intel, but also AMD, and even ARM-based processors like those found in iPhones and iPads. (Today’s Apple silicon-based Macs with M1 and M2 processors are also ARM-based.)
As we noted at the time, the world was just beginning to understand speculative execution flaws; it was only a matter of time before the discovery of similar flaws of this nature. Sure enough, more have been discovered since then, including SPOILER, though few have directly impacted Macs.
On August 9, 2023, researcher Daniel Moghimi spoke at the Black Hat USA 2023 conference and shared details about a new speculative execution vulnerability: Downfall (CVE-2022-40982). Moghimi reported the vulnerability to Intel nearly one year ago, in August 2022, and kept the details under embargo until now.
Here’s what Mac users should know about this vulnerability.
In this article:
- What can an attacker do by exploiting Downfall?
- Is there a fix available? Are Macs affected?
- Which Macs are potentially affected?
- If Apple releases updates, which Macs will likely get fixed?
- How can I learn more?
What can an attacker do by exploiting Downfall?
By exploiting Downfall, attackers can read data in the computer’s memory that “should not normally be accessible.” According to Moghimi:
“A hacker can target high-value credentials such as passwords and encryption keys. Recovering such credentials can lead to other attacks that violate the availability and integrity of computers in addition to confidentiality.”
Moghimi says that such attacks are “highly practical.” In just two weeks, he was able to create “an end-to-end attack stealing encryption keys from OpenSSL.”
What’s worse, Moghimi says that it’s theoretically possible for an attacker-controlled Web page to remotely exploit the vulnerability on a victim’s computer.
Is there a fix available? Are Macs affected?
Intel has released microcode updates for affected processors. Dell, Lenovo, and other manufacturers have begun to release BIOS updates for affected PCs.
But Apple—which sold potentially affected Intel-based Macs from 2015 through 2023—has not yet confirmed whether Macs are directly impacted. Moghimi doesn’t speculate about this; rather, he links to a Macworld article that does the speculation for him. Macworld, for its part, reached out to Apple, but the company has not yet responded. Intego has also contacted Apple but has not received a response yet; we’ll update this article if Apple replies.
Which Macs are potentially affected?
Based on the information that has been made available so far, it’s possible that the following Macs could potentially be impacted by the Downfall vulnerability:
- iMac (Retina 5K, 27-inch)
- Models: Late 2015, 2017, 2019, 2020
- Sold new from Oct 2015–Mar 2022
- iMac (21.5-inch, 2017) — sold new from Jun 2017–Oct 2021
- iMac (Retina 4K, 21.5-inch)
- Models: 2017, 2019
- Sold new from Jun 2017–Apr 2021
- iMac Pro (2017) — sold new from Dec 2017–Mar 2021
- Mac mini (2018) — sold new from Oct 2018–Jan 2023
- Mac Pro (2019) — sold new from Dec 2019–Jun 2023
- MacBook (Retina, 12-inch)
- Models: Early 2016, 2017
- Sold new from Apr 2016–Jul 2019
- MacBook Air (Retina, 13-inch)
- Models: 2018, 2019, 2020
- Sold new from Oct 2018–Nov 2020
- MacBook Pro (13-inch)
- Models: 2016, 2017, 2018, 2019, 2020, with Two or Four Thunderbolt 3 Ports
- Sold new from Oct 2016–Oct 2021
- MacBook Pro (15-inch)
- Models: 2016, 2017, 2018, 2019
- Sold new from Oct 2016–Nov 2019
- MacBook Pro (16-inch) — sold new from Nov 2019–Oct 2021
Each of these Macs has a potentially affected Intel processor from the 6th–10th generation (Skylake, Kaby Lake, Coffee Lake, Amber Lake, Cascade Lake, Ice Lake, or Comet Lake).
Although Downfall also affects 11th generation Intel processors, Apple had stopped releasing new Intel-based Mac models before this generation’s debut in 2021.
If Apple releases updates, which Macs will likely get fixed?
Firmware updates are the Mac’s equivalent of BIOS updates. For the past several years, Apple has bundled Mac firmware updates with macOS updates; they’re not available as separate downloads. Firmware updates are installed automatically, as needed, as part of the macOS patching process.
It may be safe to assume that Apple has not yet released updates to address Downfall for any Macs. There’s no mention of CVE-2022-40982 or Downfall on Apple’s security updates page or its support site. Now that the general public has known about the vulnerability for more than a week, and most major PC hardware manufacturers have released statements, Apple’s silence hints that it likely hasn’t silently bundled patches with past macOS updates.
But macOS Sonoma is right around the corner. It only supports certain Mac models released in 2018 or later (aside from the iMac Pro, which only has a single model released in 2017; it’s the only 2017 Mac that officially supports Sonoma).
That might mean that, even if Apple releases firmware updates to mitigate Downfall, the other 2015, 2016, and 2017 Mac models might not get any updates.
If that’s the case, then those 2015–2017 models could be stuck with a perpetual hardware vulnerability. (Of course, not being able to run macOS Sonoma also leaves them at risk anyway, because Apple doesn’t fully patch the two previous macOS versions.)
Again, at this point we can only speculate about which models may be vulnerable to Downfall, and what Apple might do about it. We’ll have to wait and see whether Apple acknowledges the problem and how it decides to handle it.
How can I learn more?
By the way, Apple never did release a statement about SPOILER, or patches to mitigate it. To this day, it remains unclear whether Macs were impacted.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: