1. Forum
  2. Usenet
  3. COMP.SYS.MAC.SYSTEM

  • Re: Newly Discovered Apple M1 Security Flaw is Unpatchable

    From Alan Browne@21:1/5 to NewsKrawler on Fri Jun 10 18:02:40 2022
    On 2022-06-10 17:58, NewsKrawler wrote:
    https://gizmodo.com/apple-m1-chip-security-vulnerability-pacman-unpatchable-1849046101
    Newly Discovered Apple M1 Security Flaw is Unpatchable

    MIT Computer Science & Artificial Intelligence Laboratory (CSAIL)
    scientists revealed in a recent paper a vulnerability in what they call the "last line of security" for the M1 chip.

    Same article: QUOTE
    M1 Mac owners don’t need to worry about having their sensitive data
    stolen. While this is a severe vulnerability that will need to be
    addressed, certain unlikely conditions need to be in place for it to
    work. Foremost, the system under attack needs to have an existing memory corruption bug. As such, the scientists say there is “no cause for
    immediate alarm.”

    For its part, Apple thanked the researchers in a statement to TechCrunch
    but emphasized that the “issue” doesn’t pose an immediate risk to
    MacBook owners.

    “We want to thank the researchers for their collaboration as this proof
    of concept advances our understanding of these techniques,” Apple said. “Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate
    risk to our users and is insufficient to bypass operating system
    security protections on its own.”

    /QUOTE

    ... and much more ... it's a last line after many other lines have been breached ...

    IOW not much ado ...


    --
    "Mr Speaker, I withdraw my statement that half the cabinet are asses -
    half the cabinet are not asses."
    -Benjamin Disraeli

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From NewsKrawler@21:1/5 to All on Fri Jun 10 21:58:29 2022
    https://gizmodo.com/apple-m1-chip-security-vulnerability-pacman-unpatchable-1849046101
    Newly Discovered Apple M1 Security Flaw is Unpatchable

    MIT Computer Science & Artificial Intelligence Laboratory (CSAIL)
    scientists revealed in a recent paper a vulnerability in what they call the "last line of security" for the M1 chip.

    Apple thanked the researchers in a statement to TechCrunch but emphasized
    that the "issue" doesn't pose an immediate risk to MacBook owners.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From NewsKrawler@21:1/5 to Alan Browne on Fri Jun 10 22:16:12 2022
    On 2022-06-10, Alan Browne <[email protected]> wrote:

    it's a last line after many other lines have been breached ...

    It's a lifetime hardware design flaw.

    The key concern is that it's unpatchable which makes it likely malware
    actors will find it profitable to spend resources to closely focus on exploiting any current or inevitable future zero-day cracks in the armor
    that accidentally arise during the expected lifetime of the M1 hardware.

    https://www.techradar.com/news/apple-m1-chip-has-an-unpatchable-security-flaw-but-dont-panic-just-yet
    Apple M1 chip has an 'unpatchable' security flaw, but don't panic just yet

    PACMAN, the exploit that the MIT researchers designed, relies on a
    combination of software and hardware exploits that test whether a signature
    is accepted, and since there are only a finite number of possible
    signatures, it is possible for PACMAN to try them all, find out which one
    is valid, and then have a separate software exploit use that signature to bypass this final defense mechanism in the M1 chip.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alan Browne@21:1/5 to NewsKrawler on Fri Jun 10 20:02:45 2022
    On 2022-06-10 18:16, NewsKrawler wrote:
    On 2022-06-10, Alan Browne <[email protected]> wrote:

    it's a last line after many other lines have been breached ...

    It's a lifetime hardware design flaw.

    The key concern is that it's unpatchable which makes it likely malware
    actors will find it profitable to spend resources to closely focus on exploiting any current or inevitable future zero-day cracks in the armor
    that accidentally arise during the expected lifetime of the M1 hardware.

    Reality: more likely they'll look at the obstacles to even getting
    within sight of the flaw and go looking for more likely to succeed attacks.

    --
    "Mr Speaker, I withdraw my statement that half the cabinet are asses -
    half the cabinet are not asses."
    -Benjamin Disraeli

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From NewsKrawler@21:1/5 to Alan Browne on Sat Jun 11 14:56:44 2022
    On 2022-06-10, Alan Browne <[email protected]> wrote:

    Reality: more likely they'll look at the obstacles to even getting
    within sight of the flaw and go looking for more likely to succeed attacks.

    Your view of reality works only as long as there are no software flaws
    during the life of the M1 hardware which bad actors can then use to take advantage of this permanent and now well known unpatchable hardware flaw.

    However if related software flaws do exist during the lifetime of the M1,
    and if actors care to exploit them, then they gain absolute full control.

    My view of reality is actors certainly will try but your version of reality that bad actors won't care to look to gain this full control is as valid.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alan Browne@21:1/5 to NewsKrawler on Sat Jun 11 11:23:25 2022
    On 2022-06-11 10:56, NewsKrawler wrote:
    On 2022-06-10, Alan Browne <[email protected]> wrote:

    Reality: more likely they'll look at the obstacles to even getting
    within sight of the flaw and go looking for more likely to succeed attacks.

    Your view

    My view is based on the reality of the situation, not a sieve of wonderment.

    You have a talent for posting clicky titles, but little for
    understanding what lies beneath the surface.


    --
    "Mr Speaker, I withdraw my statement that half the cabinet are asses -
    half the cabinet are not asses."
    -Benjamin Disraeli

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From NewsKrawler@21:1/5 to Alan Browne on Sat Jun 11 17:40:33 2022
    On 2022-06-11, Alan Browne <[email protected]> wrote:

    My view is based on the reality of the situation, not a sieve of wonderment.

    I'm not prepared to agree with you as glibly as you make that claim.

    Your view depends on actors not caring to attempt to exploit this permanent design flaw in the M1 hardware that is now widely known around the world.

    My view depends on actors caring to try in software to exploit this
    permanent unpatchable M1 hardware flaw during the life of the M1 hardware.

    Your view is as valid as is mine at this stage of the situation.

    You have a talent for posting clicky titles

    I reported the title exactly as it was reported in that news report.
    I then provided two sentences from the article which were also exact.

    The first quote reported the flaw exactly as it was stated.
    The second quote reported Apple's exact response to the flaw.

    From the two quoted sentences you glibly assumed I don't understand?
    I could argue you don't have enough data to make that glib assumption.

    but little for understanding what lies beneath the surface.

    Your view is as valid as is mine as this is a newly published M1 flaw.

    I could argue your position relies on zero actors wanting to exploit the
    flaw while my position relies on one or more actors wanting to exploit it.

    Over the life of the M1 hardware.

    My position realistically relies on a statistical probability greater than zero. Your position glibly requires a statistical probability of zero.

    Over the life of the M1 hardware.

    I argue you & I don't have enough data to resolve that statistical discord. Over time we will be able to resolve the statistical discord with new data.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Campbell@21:1/5 to NewsKrawler on Sun Jun 12 16:17:39 2022
    NewsKrawler <[email protected]> wrote:
    Your view of reality works only as long as there are no software flaws
    during the life of the M1 hardware which bad actors can then use….

    Bad actors? You mean like Keanu Reeves?

    Of you do actually mean CRIMINALS?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alan Browne@21:1/5 to Bob Campbell on Sun Jun 12 19:01:47 2022
    On 2022-06-12 17:17, Bob Campbell wrote:
    NewsKrawler <[email protected]> wrote:
    Your view of reality works only as long as there are no software flaws
    during the life of the M1 hardware which bad actors can then use….

    Bad actors? You mean like Keanu Reeves?

    Of you do actually mean CRIMINALS?

    Does the term "criminal act" ring a bell with you?

    --
    "Mr Speaker, I withdraw my statement that half the cabinet are asses -
    half the cabinet are not asses."
    -Benjamin Disraeli

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Campbell@21:1/5 to Alan Browne on Sun Jun 12 19:15:10 2022
    Alan Browne <[email protected]> wrote:
    On 2022-06-12 17:17, Bob Campbell wrote:
    NewsKrawler <[email protected]> wrote:
    Your view of reality works only as long as there are no software flaws
    during the life of the M1 hardware which bad actors can then use….

    Bad actors? You mean like Keanu Reeves?

    Of you do actually mean CRIMINALS?

    Does the term "criminal act" ring a bell with you?

    Yes, of course. That’s why they are called CRIMINALS. Not “bad actors”. 🙄

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alan Browne@21:1/5 to Bob Campbell on Mon Jun 13 13:10:58 2022
    On 2022-06-12 20:15, Bob Campbell wrote:
    Alan Browne <[email protected]> wrote:
    On 2022-06-12 17:17, Bob Campbell wrote:
    NewsKrawler <[email protected]> wrote:
    Your view of reality works only as long as there are no software flaws >>>> during the life of the M1 hardware which bad actors can then use….

    Bad actors? You mean like Keanu Reeves?

    Of you do actually mean CRIMINALS?

    Does the term "criminal act" ring a bell with you?

    Yes, of course. That’s why they are called CRIMINALS. Not “bad actors”.
    🙄

    Given your pedantic first shot I'm not surprised you're trying "squirm
    out of it" mode.


    --
    "Mr Speaker, I withdraw my statement that half the cabinet are asses -
    half the cabinet are not asses."
    -Benjamin Disraeli

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)