Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail.
https://arstechnica.com/security/2025/01/newly-discovered-flaws-in-apple-chips-leak-secrets-in-safari-and-chrome/
=> More informations about this toot | More toots from dangoodin@infosec.exchange
@dangoodin
First, the M1 had headaches now this can’t they get fucking cryptography right?
=> More informations about this toot | More toots from GhostOnTheHalfShell@masto.ai
@GhostOnTheHalfShell @dangoodin This isn’t about cryptography. Speculative prediction attacks are based on things that are in memory or cpu registers. I don’t think there’s a CPU in use today that isn’t subject to some variation of speculative prediction attack. it’s disappointing that there are more now but it’s not unprecedented by any means.
=> More informations about this toot | More toots from scottwillsey@social.lol
@dangoodin
This makes me wonder how much of the M chip performance advantage is simply Apple doing speculative things that AMD + Intel have already disabled.
=> More informations about this toot | More toots from jlbec@mastodon.online
@dangoodin So it’s just from Chrome and Safari?
=> More informations about this toot | More toots from GNavsSunglasses@social.linux.pizza
@GNavsSunglasses @dangoodin ...same question.....those are the two entry points to mischief?
=> More informations about this toot | More toots from havvyhh2@mas.to
@havvyhh2 @GNavsSunglasses @dangoodin those are the two tested entry points. The researchers specifically say they don’t know about Firefox because they didn’t bother to attempt the exploit on it.
=> More informations about this toot | More toots from sfrazer434@mastodon.social
@dangoodin mentioned JavaScript, wondering how Lockdown Mode affects Safari attacks when LDM is left in place for the affected attack website, WebAssembly is disabled with LDM
=> More informations about this toot | More toots from yawnbox@disobey.net
@dangoodin “First time, huh?” — Intel, AMD.
=> More informations about this toot | More toots from Salty@mastodon.nz
@dangoodin Does it mean M1 machines are not affected? Or are they just not being tested?
=> More informations about this toot | More toots from yuliyan@nahe.social
@dangoodin Imagine T9 for CPUs leaking your information.
Jokes aside, in plain words, is the prediction of instructions really worth this kind of risk? Would anyone notice a performance dump if it was turned off?
[#]apple #FLOP #SLAP
=> More informations about this toot | More toots from yuliyan@nahe.social
@dangoodin ELI5, why can't speculative prediction be isolated on a separate enclave and loaded dynamically into memory at the point where there is no doubt that Josh is typing his credit card number? Why is the sensitive data available in-memory.
And yes, I have no idea how etched stone can write poems. Thus the #ELi5
=> More informations about this toot | More toots from yuliyan@nahe.social
@dangoodin there’s no mention of other browsers such as Firefox. Do you know if this is because it wasn’t tested or because it isn’t affected? I suppose it is beyond the scope of the article to suggest mitigations.
=> More informations about this toot | More toots from steve@feltmarker.uk This content has been proxied by September (3851b).Proxy Information
text/gemini