Fresh from the correction of a zero-day vulnerability in iPhones, iPads, Macs and other devices have security researchers at the Georgia Institute of Technology revealed a few vulnerabilities affecting all of Apple’s modern devices.
First reported on bleeping computer, this is page channel attacks that can use special code on sites to allow sites to perform “page channel” attacks stealing data from other web sessions. For example, a malicious place can view your location data from a Google Maps tab or non -Encrypted E email from an open browser tab that is logged in to your secure E -mail account. BankInfo, Logininfo, Purchase History – There are plenty of potential goals.
Most modern browsers “sandbox” web sessions so a browser tab or window cannot access the data from other tabs/windows. Slack and flop vulnerability utilizes features of the latest Apple processors to get around this sandbox.
What is slack?
The M2 and A15 generation of processors (and later) has a feature called Load Address Prediction (LAP) as it is trying to predict the memory address to the next memory request to predict it and speed up things. Slack (S.Pekulation attack via L.OAD ONEDdress S.Rescue) First mistakenly “took” the predictable algorithm and then uses that pull targeted data from other browser processes.
Slack appears to work only in safari.
What is the floppy?
From the M3/A17 generation of processors, Apple goes one step further than loading data from predicted memory addresses. They have a feature called Load Value Predictor (LVP) who guesses what the value will be from a memory request. The whole thing is to help the processor run faster by not having to wait for data to come from memory.
Flop (FAlse L.OAD ISLANDOutput S.Redations) issue instructions that return the same values ​​all the time to “fool” the predictor to expect a certain value even when the data has changed and lets them perform code on “wrong” data values.
Flop works in safari and chrome.
Which Apple devices are affected?
The researchers say the following Apple devices have the hardware needed to perform these deficiencies.
- All Mac-Laptop computers from 2022-present (MacBook Air, MacBook Pro)
- All Mac-Desktops from 2023-present (MAC MINI, IMAC, MAC Studio, MAC Pro)
- All iPad Pro, Air and Mini Models from September 2021-Luten time (6th and 7th Gen iPad Pro, 6th-Gen iPad Air, 6th-Gen iPad Mini)
- All iPhones from September 2021-present (iPhone 13, 14, 15 and 16 models, 3rd-hen iPhone SE)
Should I be worried?
The Georgia Institute of Technology researchers say there is no evidence that neither clap nor flopping has been used in nature. Similarly, Apple told Bleeping computer, “Based on our analysis, we don’t think this problem poses an immediate risk to our users.”
Does Apple run these missing?
Yes, but it seems to take some time. The researchers revealed slack to Apple on May 24, 2024 and floppe on September 3, 2024. Apple has released several updates since that time without solving the problem here.
You can read more about these exploits and see test demonstrations of them in action at the SLACK and Flop site created by the Georgia Institute of Technology researchers.