Researcher uses minor M1 vulnerability to poke fun at 'overhyped' flaws

Posted:
in macOS edited June 2
A minor security vulnerability "baked into" Apple Silicon is giving a security researcher an avenue to poke fun at overly dramatic reveals and poor coverage of chip errata.

Credit: Hector Martin
Credit: Hector Martin


The flaw, dubbed "M1RACLES," is a bug in the design of Apple's M1 chipset that could potentially allow any two applications running under an OS to covertly exchange data between them without normal operating system features. It can't be fixed without a silicon revision.

However, the person who discovered the flaw, reverse engineer and developer Hector Martin, said that Mac users shouldn't be concerned about the flaw because it can't really be used for anything nefarious. Martin even wrote a long FAQ section poking fun at "overhyped" vulnerability disclosures.

The vulnerability can't be used to take over a computer or steal private information, and it can't be exploited from Javascript on a website. Martin notes that it could be used to "rickroll" someone, but that there are plenty of other ways to do that.

If there's a real danger to the flaw, Martin writes "if you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way." However, it's likely that malware could communicate in "plenty of expected ways anyway."

"Really, nobody's going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system," wrote the author. "Covert channels can't leak data from uncooperative apps or systems. Actually, that one's worth repeating: Covert channels are completely useless unless your system is already compromised."

In other words, the worst-case scenario is that malware on a user's system could use the vulnerability to communicate with each other. By the time a Mac is that compromised, it's likely that an attacker doesn't need to use it anyway.

Despite not being a severe flaw, the bug is still a vulnerability because "it violates the OS security model."

The goal of the webpage, however, was mostly to poke fun at "how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn't mean you need to care." Also, Martin said he wanted to play the song "Bad Apple!!" over a vulnerability video.

As far as why the flaw exists, Martin says an Apple engineer made a mistake. More specifically, Apple "decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS." By removing that feature, Apple reportedly made it harder for existing operating systems to mitigate it.

The bug affects any operating system that can run on Apple Silicon, including iOS. It even has privacy implications on Apple's mobile platform. For example, a malicious keyboard app could use the flaw to connect to the internet when it otherwise wouldn't be able to. However, it would be trivial for the App Review process to catch the flaw.

Interestingly, the bug doesn't work in virtual machines because correctly implemented hypervisors disable guest access to the underlying register. If the bug could work in virtual machines, "the impact would have been more severe."

Martin said he discovered the bug while working on his primary project of porting Linux to the M1 CPU.

"I found something, and it turned out to be an Apple proprietary bug, instead of an Apple proprietary feature, that they themselves also weren't aware of," Martin wrote.

The vulnerability was reported to Apple's product security team, who assigned it CVE-2021-30747.

Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 10
    lkrupplkrupp Posts: 9,457member
    The world runs on negativity and sensationalism. That’s the price of instant news. Whenever something like this is mentioned on Apple tech blogs the usual suspects go insane with hand wringing and fear. Then come the recriminations against Apple for its ‘lack’ of quality control. Why didn’t Apple pick this up during testing go the laments. 

    I think many of these types are the same ones who, during the lockdowns, thought if they opened their front door and peaked outside they would die instantly. I actually know a couple of those people.
    Beatsflyingdpwatto_cobra
  • Reply 2 of 10
    sflocalsflocal Posts: 5,730member
    While no CPU  is perfect, I'm glad that Apple's first-gen CPU is getting this kind of attention.  Unlike Intel which hasn't made necessary fixes to their CPU's for literally decades, I'm confident that Apple will get these resolved now that they own the entire package.  

    I wonder if their M1X/M2 will get these fixes?

    Beatswatto_cobra
  • Reply 3 of 10
    lkrupplkrupp Posts: 9,457member
    sflocal said:
    While no CPU  is perfect, I'm glad that Apple's first-gen CPU is getting this kind of attention.  Unlike Intel which hasn't made necessary fixes to their CPU's for literally decades, I'm confident that Apple will get these resolved now that they own the entire package.  

    I wonder if their M1X/M2 will get these fixes?

    And if Apple, like this security researcher, deems them a low priority with little to no risk? Then what?
    watto_cobra
  • Reply 4 of 10
    dysamoriadysamoria Posts: 3,429member
    Once again: PROOFREAD your headlines (and the whole article). If you can’t get the subject and the action to be in agreement, it makes me also wonder if there’re factual errors in the articles.
  • Reply 5 of 10
    sflocalsflocal Posts: 5,730member
    lkrupp said:
    sflocal said:
    While no CPU  is perfect, I'm glad that Apple's first-gen CPU is getting this kind of attention.  Unlike Intel which hasn't made necessary fixes to their CPU's for literally decades, I'm confident that Apple will get these resolved now that they own the entire package.  

    I wonder if their M1X/M2 will get these fixes?

    And if Apple, like this security researcher, deems them a low priority with little to no risk? Then what?

    Apple being a high-profile target for many, even the most smallest, quietest fart Apple makes will make the front page news of every click-bait media site.  So if Apple deems them a low priority, I'm sure enough news coverage about any CPU flaw will get resolved much faster compared to snail-pace Intel.  Spectre anyone?
    Beatswatto_cobra
  • Reply 6 of 10
    auxioauxio Posts: 2,331member
    lkrupp said:
    The world runs on negativity and sensationalism.
    No, the world runs on money.  If being negative and sensationalist earns people more money, then that's what they'll do.  Back when people earned degrees, and had careers in journalism, your reputation in the industry and the quality of your reporting was what earned you the most money.  Nowadays, its whoever can get the most eyeballs on their videos.  Why would you spend time doing research when simply being reactionary earns you more?

    muthuk_vanalingamlkruppFileMakerFellerflyingdpwatto_cobra
  • Reply 7 of 10
    BeatsBeats Posts: 2,527member
    Of course all Apple News is overhyped. I always feel ashamed for news sites when they target Apple when 99% of the industry has the same problem they’re criticizing Apple for but worse.

    I still believe M1 should be more secure no matter how small the flaw since it’s made by Apple and now Apple has more control. Apple needs to bring back the popular phrase “Macs don’t get viruses”. 
  • Reply 8 of 10
    XedXed Posts: 1,028member
    Appleinsider: "However, it would be trivial for the App Review process to catch the flaw."

    That used to be enough, but as we've seen time and time again Apple's review process could use a lot of work.
  • Reply 9 of 10
    cpsrocpsro Posts: 2,893member
    Without more information (and time I don't have to spend on this), I'm not convinced the flaw is so benign. Developers commonly use toolkits--publicly available toolkits. Two apps built independently by two different developers might unwittingly communicate via a shared, malicious toolkit and report information to the toolkit developer that each app isn't intended or allowed to access.
    FileMakerFeller
  • Reply 10 of 10
    netroxnetrox Posts: 1,050member
    We have microcode to fix any hardware bugs. No CPUs are without bugs. There are bugs in CPUs that can be fixed with microcode. 

    Remember the Intel division bug? Intel correctly downplayed the bug but the media hype forced Intel to pay for new chips replacing affected chips than to simply apply microcode which fixes the bug. 


Sign In or Register to comment.