MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
apple
Recherche

Asahi Linux Dev Reveals 'M1RACLES' Flaw In Apple M1

jeudi 27 mai 2021, 00:40 , par Slashdot/Apple
AmiMoJo shares a report from Tom's Hardware: Asahi Linux developer Hector Martin has revealed a covert channel vulnerability in the Apple M1 chip that he dubbed M1RACLES, and in the process, he's gently criticized the way security flaws have started to be shared with the public. Martin's executive summary for M1RACLES sounds dire: 'A flaw in the design of the Apple Silicon 'M1' chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange. The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.'

He also noted that this was the result of an intentional decision on Apple's part. 'Basically, Apple decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS,' he explained. 'And then it turned out that removing that feature made it much harder for existing OSes to mitigate this vulnerability.' The company would have to make a change on the silicon level with its followup to the M1 to mitigate this flaw. But he also made it clear in the FAQ that Mac owners shouldn't be particularly worried about M1RACLES because that covert channel affects two bits. It can be expanded, and Martin said that transfer rates over 1 MB/s are possible 'without much optimization,' but any malicious apps that might take advantage of such methods would be far more likely to share information via other channels. Calling this a two-bit vulnerability would be both technically and linguistically correct. It's a real security flaw, sure, but it's unlikely to pose a real threat to Apple's customers.

Read more of this story at Slashdot.
rss.slashdot.org/~r/Slashdot/slashdotApple/~3/9DBo_JP3MLw/asahi-linux-dev-reveals-m1racles-flaw-in-a...
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Date Actuelle
ven. 29 mars - 16:46 CET