What Should You Do?
Users on macOS Mojave should immediately update to macOS 10.14.5, available through the normal software update mechanisms. If you’re on an old Mac that can’t run Mojave, you can instead apply Security Update 2019-003 to either High Sierra, or Sierra.
There are no security updates for versions of macOS prior to Sierra, so if you’re running El Capitan, Yosemite, or an even older version, you’ll need to bite the bullet and update to at least Sierra to get access to the fix. All affected Macs should support at least macOS Sierra.
What the Patch Does
Note that installing the security update by itself only patches the vulnerability in Safari, preventing exploitation via JavaScript or other malicious code from websites that you may visit. Since the only other way to be impacted by the vulnerability is by specifically installing a malicious app, this should be enough for most users — as long as you’re using Safari as your only browser. Apple notes that it has been able to do this with no performance impact.
If you’re using another browser like Chrome or Firefox, however, you’ll need to install updates from your browser’s developer (i.e. Google or Mozilla). Mozilla has said that it has a long-term fix on the way for Firefox, although in the meantime the company has applied the mitigations recommended by Apple, which will be included in Firefox release 67 and Extended Support Release update 60.7, both expected to arrive early next week.
Full Mitigation
As of this writing, however, Google’s response to Chrome users has been to rely on operating system updates, which means you’ll need to enable Apple’s additional “full mitigation” procedure if you want to ensure you’re protected. Apple doesn’t enable these in the macOS patch by default, since they require you to disable hyper-threading entirely on your CPU, which will result in a serious performance hit — up to a 40% reduction, according to Apple.
The full mitigation steps will prevent any app from being able to exploit the vulnerability, but due to the performance cost it’s only recommended for users in high-risk environments, those who regularly run untrusted apps on their Macs, or those who are simply extremely security conscious and willing to sacrifice that kind of performance in order to eliminate the risk completely. Sadly, however, since Google doesn’t appear to be taking any steps to mitigate the issue in Chrome itself, users who rely on that browser will need to consider themselves to be in a “high-risk environment” and should apply the full mitigation steps. As far as we’re concerned, this may be as good an excuse as any to switch to Safari.