Researcher uses minor M1 vulnerability to poke fun at 'overhyped' flaws
A minor security vulnerability "baked into" Apple Silicon is giving a security researcher an avenue to poke fun at overly dramatic reveals and poor coverage of chip errata.
Credit: Hector Martin
The flaw, dubbed "M1RACLES," is a bug in the design of Apple's M1 chipset that could potentially allow any two applications running under an OS to covertly exchange data between them without normal operating system features. It can't be fixed without a silicon revision.
However, the person who discovered the flaw, reverse engineer and developer Hector Martin, said that Mac users shouldn't be concerned about the flaw because it can't really be used for anything nefarious. Martin even wrote a long FAQ section poking fun at "overhyped" vulnerability disclosures.
The vulnerability can't be used to take over a computer or steal private information, and it can't be exploited from Javascript on a website. Martin notes that it could be used to "rickroll" someone, but that there are plenty of other ways to do that.
If there's a real danger to the flaw, Martin writes "if you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way." However, it's likely that malware could communicate in "plenty of expected ways anyway."
"Really, nobody's going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system," wrote the author. "Covert channels can't leak data from uncooperative apps or systems. Actually, that one's worth repeating: Covert channels are completely useless unless your system is already compromised."
In other words, the worst-case scenario is that malware on a user's system could use the vulnerability to communicate with each other. By the time a Mac is that compromised, it's likely that an attacker doesn't need to use it anyway.
Despite not being a severe flaw, the bug is still a vulnerability because "it violates the OS security model."
The goal of the webpage, however, was mostly to poke fun at "how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn't mean you need to care." Also, Martin said he wanted to play the song "Bad Apple!!" over a vulnerability video.
As far as why the flaw exists, Martin says an Apple engineer made a mistake. More specifically, Apple "decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS." By removing that feature, Apple reportedly made it harder for existing operating systems to mitigate it.
The bug affects any operating system that can run on Apple Silicon, including iOS. It even has privacy implications on Apple's mobile platform. For example, a malicious keyboard app could use the flaw to connect to the internet when it otherwise wouldn't be able to. However, it would be trivial for the App Review process to catch the flaw.
Interestingly, the bug doesn't work in virtual machines because correctly implemented hypervisors disable guest access to the underlying register. If the bug could work in virtual machines, "the impact would have been more severe."
Martin said he discovered the bug while working on his primary project of porting Linux to the M1 CPU.
"I found something, and it turned out to be an Apple proprietary bug, instead of an Apple proprietary feature, that they themselves also weren't aware of," Martin wrote.
The vulnerability was reported to Apple's product security team, who assigned it CVE-2021-30747.
Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Credit: Hector Martin
The flaw, dubbed "M1RACLES," is a bug in the design of Apple's M1 chipset that could potentially allow any two applications running under an OS to covertly exchange data between them without normal operating system features. It can't be fixed without a silicon revision.
However, the person who discovered the flaw, reverse engineer and developer Hector Martin, said that Mac users shouldn't be concerned about the flaw because it can't really be used for anything nefarious. Martin even wrote a long FAQ section poking fun at "overhyped" vulnerability disclosures.
The vulnerability can't be used to take over a computer or steal private information, and it can't be exploited from Javascript on a website. Martin notes that it could be used to "rickroll" someone, but that there are plenty of other ways to do that.
If there's a real danger to the flaw, Martin writes "if you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way." However, it's likely that malware could communicate in "plenty of expected ways anyway."
"Really, nobody's going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system," wrote the author. "Covert channels can't leak data from uncooperative apps or systems. Actually, that one's worth repeating: Covert channels are completely useless unless your system is already compromised."
In other words, the worst-case scenario is that malware on a user's system could use the vulnerability to communicate with each other. By the time a Mac is that compromised, it's likely that an attacker doesn't need to use it anyway.
Despite not being a severe flaw, the bug is still a vulnerability because "it violates the OS security model."
The goal of the webpage, however, was mostly to poke fun at "how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn't mean you need to care." Also, Martin said he wanted to play the song "Bad Apple!!" over a vulnerability video.
As far as why the flaw exists, Martin says an Apple engineer made a mistake. More specifically, Apple "decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS." By removing that feature, Apple reportedly made it harder for existing operating systems to mitigate it.
The bug affects any operating system that can run on Apple Silicon, including iOS. It even has privacy implications on Apple's mobile platform. For example, a malicious keyboard app could use the flaw to connect to the internet when it otherwise wouldn't be able to. However, it would be trivial for the App Review process to catch the flaw.
Interestingly, the bug doesn't work in virtual machines because correctly implemented hypervisors disable guest access to the underlying register. If the bug could work in virtual machines, "the impact would have been more severe."
Martin said he discovered the bug while working on his primary project of porting Linux to the M1 CPU.
"I found something, and it turned out to be an Apple proprietary bug, instead of an Apple proprietary feature, that they themselves also weren't aware of," Martin wrote.
The vulnerability was reported to Apple's product security team, who assigned it CVE-2021-30747.
Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Comments
I think many of these types are the same ones who, during the lockdowns, thought if they opened their front door and peaked outside they would die instantly. I actually know a couple of those people.
I still believe M1 should be more secure no matter how small the flaw since it’s made by Apple and now Apple has more control. Apple needs to bring back the popular phrase “Macs don’t get viruses”.
That used to be enough, but as we've seen time and time again Apple's review process could use a lot of work.
Remember the Intel division bug? Intel correctly downplayed the bug but the media hype forced Intel to pay for new chips replacing affected chips than to simply apply microcode which fixes the bug.