Apple side channel exploit - Affects A and M series CPU's

[OVERKILL]

An interesting "proof of concept" exploit has been developed that leverages a lack of rigour in the speculative execution protection mechanism on Apple native silicon (A-series and M-series CPU's), allowing data leakage.

The demonstration used a website that spawns a pop-up that leaks data from the other tabs you have open, including autofill usernames and passwords. They were also able to capture e-mail contents from a gmail window.

The exploit only works on Safari on MacOS, but works on all browsers on iOS, since they all use Apple's WebKit.

More details on it here:
Hackers can force iOS and macOS browsers to divulge passwords and much more | Ars Technica

 

[Rand]

Ileakage....

Anyone remember the IPAD jokes when it came out?

This just goes to show more market share = bigger target on your back.

 

[dogememe]

An interesting "proof of concept" exploit has been developed that leverages a lack of rigour in the speculative execution protection mechanism on Apple native silicon (A-series and M-series CPU's), allowing data leakage.

The demonstration used a website that spawns a pop-up that leaks data from the other tabs you have open, including autofill usernames and passwords. They were also able to capture e-mail contents from a gmail window.

The exploit only works on Safari on MacOS, but works on all browsers on iOS, since they all use Apple's WebKit.

More details on it here:
Hackers can force iOS and macOS browsers to divulge passwords and much more | Ars Technica

And that's what I don't like about Apple... the fact that they force you to use their browser ends up being a flaw, not a benefit. I use Edge on my iPhone because I'm an all-Windows guy (Well, excluding a couple Linux servers) and it syncs my passwords and stuff nicely... but if it was "real" Edge in this case I wouldn't be vulnerable. Technically yes Edge is WebKit as well but probably a different enough version not to have the same issue.

The only reason I have an iPhone is the battery lasts all day. Except for a Galaxy S8 Active I had which was a chunky phone with a HUGE battery, or a Sonim XP8 that was even chunkier with a HUGER battery, no "regular" Android has managed that for me. Yet with iPhone I can use my phone all day without worrying about it.

I might be transitioning to WFH next year. If that's the case if my iPhone 13 ever dies I'll probably go back to Android as battery life will no longer matter.

 

[VTECOverRated]

WebKit has been garbage in every measurable way since...for ever, and the fact that iOS requires webkit on all browsers as the engine, you can scrap iPhone's as an option if you care about security. And this is just ONE issue with iOS. The "lack of control" is an illusion of security consumers gobble up. The only real security is the one you can set up yourself (home servers, home based VPN's, custom ROM's, Linux,) which extends to everything in your life, from software, to cars, to guns, etc.

They can advertise security all they want, but its about as secure as an unlocked door. Sure it will stop my cat or dog because they can't reach the knob.

My Nexus and Pixel devices have always been completely rooted and secured manually using things like graphene OS

Shocked tech savy people use things like Chrome (or chromium in general) when more capable security wise browsers exist like Firefox.

 

[dogememe]

WebKit has been garbage in every measurable way since...for ever, and the fact that iOS requires webkit on all browsers as the engine, you can scrap iPhone's as an option if you care about security. And this is just ONE issue with iOS.

They can advertise security all they want, but its about as secure as an unlocked door. Sure it will stop my cat or dog because they can't reach the knob.

My Nexus and Pixel devices have always been completely rooted and secured manually using things like graphene OS

Shocked tech savy people use things like Chrome (or chromium in general) when more capable security wise browsers exist like Firefox.

Firefox was not competitive for years. From 2011 when 4.0 came out til about two years ago when they got their stuff under control. Now it's a great browser again and I use it's development edition as a secondary browser. But Edge is pretty great TBH, and Microsoft's sync works very smoothly across all my PCs and my iPhone.

If Firefox hadn't had those dark days/years it would not have given up as much market share to Chrome as it did. I used to be a big fan, even have an old Firefox t-shirt somewhere, but 4.0 and it's followups were BAD.

 

[VTECOverRated]

Firefox was not competitive for years. From 2011 when 4.0 came out til about two years ago when they got their stuff under control. Now it's a great browser again and I use it's development edition as a secondary browser. But Edge is pretty great TBH, and Microsoft's sync works very smoothly across all my PCs and my iPhone.

If Firefox hadn't had those dark days/years it would not have given up as much market share to Chrome as it did. I used to be a big fan, even have an old Firefox t-shirt somewhere, but 4.0 and it's followups were BAD.

The browser itself may not have been, but the underlying bones have always been there. Simply having a monopoly like Google on browsers and pretty much indirectly forcing the industry to shift to chromium is what caused firefox to fall behind because most websites started optimizing for chromium, which has nothing to do with firefox. Trying to write a translation layer for a browser seemed excessive at the time too, especially with the hardware we had at the time. Edge is just reskinned chrome, just like most browsers today. They are still chrome, their "features" are just gimmicks that don't have and never had, and will never have the robustness of firefox's underlying engine. Most of the time, trying to use something more robust also means less convenience. So those "dark days" you talk about went unnoticed by most of us power users.

But that is then, looking at it today, Firefox is also more feature rich and less restrictive to users, as well as having an infinitely better security system to chrome.

 

[Pew]

The "lack of control" is an illusion of security consumers gobble up. The only real security is the one you can set up yourself (home servers, home based VPN's, custom ROM's, Linux,) which extends to everything in your life, from software, to cars, to guns, etc.

The only real security is teaching end users to not click on random stuff. Restricting unneeded access, especially any sort of administrative access, is a close second. Expecting home servers/VPNs/Linux to act as "real security" is as much as a gimmick, anybody who has the ability to bypass those systems aren't going for home users. Most home users aren't going to run Linux or some other sort of enterprise-class firewall to open/close ports and spend dozens of hours setting of rules and logs.

 

[OVERKILL]

The browser itself may not have been, but the underlying bones have always been there. Simply having a monopoly like Google on browsers and pretty much indirectly forcing the industry to shift to chromium is what caused firefox to fall behind because most websites started optimizing for chromium, which has nothing to do with firefox. Trying to write a translation layer for a browser seemed excessive at the time too, especially with the hardware we had at the time. Edge is just reskinned chrome, just like most browsers today. They are still chrome, their "features" are just gimmicks that don't have and never had, and will never have the robustness of firefox's underlying engine. Most of the time, trying to use something more robust also means less convenience. So those "dark days" you talk about went unnoticed by most of us power users.

Edge isn't re-skinned Chrome, it's based on Chromium, which is an open source project, which, yes, Google funds (just like they do with Android), but just provides the underlying framework. If you've ever used Chromium itself as a browser, it's quite limited without all the extra "fluff" added by the developers that use it as the foundation for their own products.

Saying it's Chrome is akin to me saying that GrapheneOS is just Google's Android because it's Android-based.

 

[OVERKILL]

WebKit has been garbage in every measurable way since...for ever, and the fact that iOS requires webkit on all browsers as the engine, you can scrap iPhone's as an option if you care about security. And this is just ONE issue with iOS. The "lack of control" is an illusion of security consumers gobble up. The only real security is the one you can set up yourself (home servers, home based VPN's, custom ROM's, Linux,) which extends to everything in your life, from software, to cars, to guns, etc.

They can advertise security all they want, but its about as secure as an unlocked door. Sure it will stop my cat or dog because they can't reach the knob.

My Nexus and Pixel devices have always been completely rooted and secured manually using things like graphene OS

Shocked tech savy people use things like Chrome (or chromium in general) when more capable security wise browsers exist like Firefox.

This goes beyond WebKit though. As the article notes, this has been going on for years (Spectre and Meltdown were both provided as examples) with exploits targeting speculative execution to leak data and CPU and software manufacturers trying to prevent it. WebKit may have been the route taken for this specific demonstration, but the failure of the hardware protection schemes, which were specifically implemented to prevent these sorts of exploits from being possible, is the real news.

My question is whether this vulnerability extends beyond Apple's spin on ARM or not, as that's not clear in the article. If it does, then it's quite conceivable that something similar could be crafted to exploit an SDK on Android in a similar manner.

 

[alarmguy]

And that's what I don't like about Apple... the fact that they force you to use their browser ends up being a flaw, not a benefit. I use Edge on my iPhone because I'm an all-Windows guy (Well, excluding a couple Linux servers) and it syncs my passwords and stuff nicely... but if it was "real" Edge in this case I wouldn't be vulnerable. Technically yes Edge is WebKit as well but probably a different enough version not to have the same issue.

The only reason I have an iPhone is the battery lasts all day. Except for a Galaxy S8 Active I had which was a chunky phone with a HUGE battery, or a Sonim XP8 that was even chunkier with a HUGER battery, no "regular" Android has managed that for me. Yet with iPhone I can use my phone all day without worrying about it.

I might be transitioning to WFH next year. If that's the case if my iPhone 13 ever dies I'll probably go back to Android as battery life will no longer matter.

It's what I like about Apple and why I use all their devices instead of a collection of systems and software of dubious security.
Best of all this stuff gets fixed when it's discovered.

 

[alarmguy]

...

The exploit only works on Safari on MacOS, but works on all browsers on iOS, since they all use Apple's WebKit.

More details on it here:
Hackers can force iOS and macOS browsers to divulge passwords and much more | Ars Technica

This threw me off at first ...

"While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine. An Apple representative said iLeakage advances the company’s understanding and that the company is aware of the vulnerability and plans to address it in an upcoming software release. There is no CVE designation to track the vulnerability."

So I think you mis-typed and left out the word "Not"
The exploit "not" only works on Safari on MacOS, but works on all browsers on iOS, since they all use Apple's WebKit.

Or it could be I am missing something which wouldnt be unusual *LOL*

 

[dogememe]

This goes beyond WebKit though. As the article notes, this has been going on for years (Spectre and Meltdown were both provided as examples) with exploits targeting speculative execution to leak data and CPU and software manufacturers trying to prevent it. WebKit may have been the route taken for this specific demonstration, but the failure of the hardware protection schemes, which were specifically implemented to prevent these sorts of exploits from being possible, is the real news.

My question is whether this vulnerability extends beyond Apple's spin on ARM or not, as that's not clear in the article. If it does, then it's quite conceivable that something similar could be crafted to exploit an SDK on Android in a similar manner.

Hope it doesn't affect ARM based servers... as those have become more common.

 

[OVERKILL]

Firefox was not competitive for years. From 2011 when 4.0 came out til about two years ago when they got their stuff under control. Now it's a great browser again and I use it's development edition as a secondary browser. But Edge is pretty great TBH, and Microsoft's sync works very smoothly across all my PCs and my iPhone.

If Firefox hadn't had those dark days/years it would not have given up as much market share to Chrome as it did. I used to be a big fan, even have an old Firefox t-shirt somewhere, but 4.0 and it's followups were BAD.

Yes, the evolution of the browser landscape has been an interesting one. I remember using gopher, hahahah.

Briefly dominated by Mosaic, we saw the emergence of AOL, Internet Explorer and Netscape.

Netscape turned into Firefox, AOL went the same way as ICQ, Internet Exploder somehow managed to hang on, becoming a massive security liability, and Chrome of course emerged from the ether, rapidly taking market share while Firefox was a leaky, resource hungry mess.

There's a really neat GIF of browser market share over time, I'll have to try and find it.

Edit, found a video:

 

[OVERKILL]

This threw me off at first ...

"While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine. An Apple representative said iLeakage advances the company’s understanding and that the company is aware of the vulnerability and plans to address it in an upcoming software release. There is no CVE designation to track the vulnerability."

So I think you mis-typed and left out the word "Not"
The exploit "not" only works on Safari on MacOS, but works on all browsers on iOS, since they all use Apple's WebKit.

Or it could be I am missing something which wouldnt be unusual *LOL*

Re-read what I wrote.

On MacOS, only Safari is affected, because it's the only browser that uses WebKit. On mobile (A-series CPU's, IOS) since all browsers use WebKit, they are all affected.

 

[OVERKILL]

Hope it doesn't affect ARM based servers... as those have become more common.

Yes, that's my concern as well (and of course it extending to Android devices). Some of the vulnerabilities found in x86 (x86-64) affected both AMD and Intel equally, while others only impacted Intel. So, the same could be the case for ARM here, depending on whether these protections are inherent to the architecture, or whether they were specifically added by Apple for their own silicon, which then begs the question what is in place on other ARM CPU's instead.

 

[VTECOverRated]

Edge isn't re-skinned Chrome, it's based on Chromium, which is an open source project, which, yes, Google funds (just like they do with Android), but just provides the underlying framework. If you've ever used Chromium itself as a browser, it's quite limited without all the extra "fluff" added by the developers that use it as the foundation for their own products.

Saying it's Chrome is akin to me saying that GrapheneOS is just Google's Android because it's Android-based.

The problem is yes I have used chromium and its literally chrome without the google sync support built in.
So yes, its just chrome. I am not arguing, I am stating reality this time.
With basic plug ins you can bring it back to being "google" chrome with a few clicks.

 

[OVERKILL]

The problem is yes I have used chromium and its literally chrome without the google sync support built in.
So yes, its just chrome. I am not arguing, I am stating reality this time.
With basic plug ins you can bring it back to being "google" chrome with a few clicks.

So RHEL and Ubuntu are both just *insert name of distro you don't like* because they all use the same kernel? I mean, I can put together an LFS install and make it look and feel like *distro you don't like* if that's the metric we are using here

As I said, Chromium is an open source project. It's a functional, but bare bones browser designed to be a "skeleton" that other projects can be built on, and of course many do just that, such as Chrome, Brave, Opera and of course now Edge.

Your argument is similar to "every gun that uses the 700 action is a Remington 700" or that every 1894 is a Winchester 1894, regardless of whose name is on the barrel.

I'm not looking to change your position, I'm not that foolish or naive, just explaining the other side.

 

[bunnspecial]

Hopefully Apple has a fix in the works for this.

It doesn't affect me on my Macs since I rarely use Safari. I've been a Firefox user for probably close to 20 years now(going back to when I was in high school) so I'm unlikely to run into an issue. I'm sure Apple will have a fix in the works, and of course iOS is a big deal since, as stated, Webkit is the only option.

As a side note, I don't install Chrome on my Macs. My laptop(M1) has Vivaldi for the few occasions where I might need a Chromium browser, but that's become less and less common and Firefox seems to increasingly work for everything.

 

[VTECOverRated]

So RHEL and Ubuntu are both just *insert name of distro you don't like* because they all use the same kernel? I mean, I can put together an LFS install and make it look and feel like *distro you don't like* if that's the metric we are using here

As I said, Chromium is an open source project. It's a functional, but bare bones browser designed to be a "skeleton" that other projects can be built on, and of course many do just that, such as Chrome, Brave, Opera and of course now Edge.

Your argument is similar to "every gun that uses the 700 action is a Remington 700" or that every 1894 is a Winchester 1894, regardless of whose name is on the barrel.

I'm not looking to change your position, I'm not that foolish or naive, just explaining the other side.

I mean...that is the metric....You are spot on lol.
Is opera the same as chrome? No. But underneath it renders every webpage identically to chrome. Because the underlying engine is the same.
Just how every single game made on unreal engine 5 has very similar quirks and tendencies, no matter how deeply the developer customizes the engine to their liking through configs and parameters.
Every single linux distro is extremly, extremly similar underneath it all. The only really big differences are choice of package manager, package installer, and sometimes....seriously deep proprietary kernel changes (such as redhat). In the end just like you said, I can make mint look like ubuntu, and make debian as unstable as as some beta build of siduction.

So for Firefox, its a completely different method for rendering web pages, which I have found to be more robust (yet due to such a small market isn't built for).

This is more a change of preference than underlying fundamentals, just how you can slap the same toyota engine into 20 different cars, in the end, you are choosing the shape of the car (CUV, SUV, Sedan, etc) and not the underlying bones (TNGA-K with a 2.5L NA motor).

As open source as chromium is, 90% of the contribution has been done by google. (also brave is garbage, how can anyone use something that bloated and yet claim its not).

The gun argument isn't relevant.

 

[OVERKILL]

I mean...that is the metric....You are spot on lol.
Is opera the same as chrome? No. But underneath it renders every webpage identically to chrome. Because the underlying engine is the same.

OK, there we go, we are on the same page. You said originally that Edge is Chrome. Now you are agreeing that Opera is not the same as Chrome, so neither is Edge. Yes, they are both built on Chromium, so they use the same rendering engine, but it doesn't make either of them Chrome, which is another product that uses the same engine.

As open source as chromium is, 90% of the contribution has been done by google. (also brave is garbage, how can anyone use something that bloated and yet claim its not).

Yes, Google is a huge contributor to the project, because it's used as the basis for Chrome, just like Google is a massive contributor to Android and Linux in general. Apple was/is a big contributor to BSD, because it used many FreeBSD-derived components as the foundation for Darwin. However, Apple has been less "open" with many aspects of their development, keeping many parts of MacOS and IOS closed-source still.

The gun argument isn't relevant.

The 1894 is a gun design that originates from Winchester. However, other companies also produce 1894 rifles based on the same core design. The Remington 700 action is probably the better example, because that action is ubiquitous, being the core design component of many wildly different looking rifles including Remington's 700 series, but ultimately, they all work the same because they use the same action. I own two 700 based rifles, and they look nothing alike, but they both benefit from using the same strong and reliable action.

I've never argued that Firefox isn't a totally different code base and uses totally different rendering, we are in agreement on that point. It's lineage back through Netscape long predates Chromium and that family.