Apple chips can be hacked to leak secrets from Gmail, iCloud, and more
-
[email protected]replied to [email protected] last edited by
Then you probably don't know about Spectre and Meltdown from a few years ago. Same family of problem on x86-64 (so Intel and AMD chips).
-
[email protected]replied to [email protected] last edited by
The main issue with these vulnerabilities is a loss in performance when the microcode patch gets applied.
-
[email protected]replied to [email protected] last edited by
If you think a website is unsafe, don’t open it.
Ahh yes, back to the dark ages of the internet where just clicking the wrong link can completely compromise your system.
Thanks crapple and its useful idiots.
-
[email protected]replied to [email protected] last edited by
Being a Linux user I really like everything being ran in the browser. What if we just have more control of which JS APIs can be used? On a site by site bases. Which I assume can probably already be done with extensions.
-
[email protected]replied to [email protected] last edited by
Wasn't it that those bugs were public knowledge by the time M1 was starting to sell? I guess recalls or delays to revenue are not acceptable.
Trophy for Apple being the first one to bring these speculative execution side channel attacks to Arm, because I've never heard of other cases. Ifi missed that please share enough details that I can find a white paper about it, because I don't read those kind of news from media.
-
[email protected]replied to [email protected] last edited by
Run an adblocker. Seriously, ads are nothing but other websites in the same browser - exactly the kind of thing that is the basis of this problem.
-
[email protected]replied to [email protected] last edited by
That you’ve never heard of it does not mean it doesn’t exist. You - or anyone else - just never heard of it.
-
[email protected]replied to [email protected] last edited by
Also, it’s more and more clear that it’s a bad idea that websites can just execute arbitrary code. The JS APIs are way too powerful and complex nowadays.
Javascript in general was a mistake, and always has been.
The web should've had Scheme or Python instead. Or better yet, we shouldn't have given up so quickly on Java Web Start because then we could've had proper web applications with their own windows and native UIs and such.
Maybe websites and apps should’ve stayed separate concepts instead of merging into “web apps”.
Damn straight!
-
[email protected]replied to [email protected] last edited by
Some browsers such as cromite disable JIT compilation and WebAssembly by default. Allowing you to opt-in to enable these features on a site by site bases.
JIT and WebAssembly have been the source of many high profile CVE in browser recently including the one mentioned in the post.
relevant research
-
[email protected]replied to [email protected] last edited by
FLOP abuses the LVP in a way that allows the attacker to run functions with the wrong argument—for instance, a memory pointer rather than an integer.
is this a vulnerability in the software? So patching this won't require disabling speculative execution?
-
[email protected]replied to [email protected] last edited by
Yep sure that's the definition of a 0 day vulnerability, it was always there and suddenly someone found out.
What I'm saying is that I have a special interest in this topic and never heard of this problem for Arm before, and if some has more awareness than me I'd like to hear more from trusted sources.
-
[email protected]replied to [email protected] last edited by
Hardware. There's a load value predictor that guesses the value of a load from memory
-
[email protected]replied to [email protected] last edited by
I mean, Intel did it first and I do believe AMD and Qualcomm also followed suit.
-
[email protected]replied to [email protected] last edited by
Oh no, not python!
-
[email protected]replied to [email protected] last edited by
Take a look at ARM Morello and CHERI.
-
[email protected]replied to [email protected] last edited by
Fast for the benchmarks. "We'll make it slower and safer later."
-
[email protected]replied to [email protected] last edited by
You do realize this kind of attack first appeared on x86 hardware, right?
https://thehackernews.com/2024/10/new-research-reveals-spectre.html?m=1
-
[email protected]replied to [email protected] last edited by
We can laugh all we want but this issue was present on x86 hardware first
https://thehackernews.com/2024/10/new-research-reveals-spectre.html?m=1
-
[email protected]replied to [email protected] last edited by
Side channel attacks are as old as computing, and the specific CPU variants exploiting speculative execution have not simply occurred on 2018 hardware and stopped since; pretty much all CPU architecture is susceptible to some form of speculative execution exploit, Apple simply is not an exception to the rule, and I think it's unfair to call them out as somehow incompetent for making the same mistake as literally everyone
-
[email protected]replied to [email protected] last edited by
Yes, I realize that.
You do realize that this kind of attack happened after spectre and meltdown? Apple knew of the risks, but decided to ignore them.