Apple to Patch Web Browser Vulnerabilities Affecting Recent Macs, iPads and iPhones

[MacRumors]

There are two new speculative execution attacks that impact recent Apple chips, according to data shared today by Georgia Tech students that discovered the vulnerabilities.

Named SLAP and FLOP, the two security flaws could allow an attacker to use a malicious webpage to spy on the contents of other webpages, giving attackers remote access to browsing history, credit card data, emails, location information, and more. Physical access to a device is not required, and the attack can be executed through a malicious site that bypasses Apple's browser protections.

Several Apple A-series and M-series chips are affected, including the M2 and later and the A15 and later, which are in the following devices:

• 2022 and later Mac notebooks
• 2023 and later Mac desktops
• 2021 and later iPad models
• 2021 and later iPhones

SLAP and FLOP were disclosed to Apple in May 2024 and September 2024, respectively, and while the attacks have not yet been patched, the researchers who reported the issue were told that Apple plans to address the vulnerabilities in an upcoming security update.

Apple told Bleeping Computer that it has not yet patched the flaws. "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," Apple said. "Based on our analysis, we do not believe this issue poses an immediate risk to our users."

SLAP affects Safari, while FLOP affects Safari and Chrome. Other browsers like Firefox could be affected too, but have not been tested. There is no evidence that SLAP and FLOP have been executed in the wild.

Details on how SLAP and FLOP work can be found on the website dedicated to explaining the vulnerabilities.

Article Link: Apple to Patch Web Browser Vulnerabilities Affecting Recent Macs, iPads and iPhones

 

[centauratlas]

"we do not believe this issue poses an immediate risk to our users." That may have been true but now that it was published in the two papers that Bleeping links to I would suspect that would change. Apple should have patched these. Reminds me of Meltdown and Spectre.

 

[canadianreader]

Apple told Bleeping Computer that it has not yet patched the flaws. "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," Apple said. "Based on our analysis, we do not believe this issue poses an immediate risk to our users."

They're too busy fixing Apple Intelligence.

 

[Razorpit]

They're too busy fixing Apple Intelligence.

Maybe we can have Apple Intelligence write a patch! What could go wrong? 😁

 

[awer25]

Help us Genmoji, you're our only hope!

 

[DeftwillP]

It's ok guy, siri's got this.

"hey siri, load the patch from apple for the newest exploit"
"I couldn't find that person in your contacts"

 

[I7guy]

When will these get patched is the question.

 

[Delgibbons]

It's ok guy, siri's got this.

"hey siri, load the patch from apple for the newest exploit"
"I couldn't find that person in your contacts"

"Here's what I found on the web"

 

[grantishere]

"we do not believe this issue poses an immediate risk to our users." That may have been true but now that it was published in the two papers that Bleeping links to I would suspect that would change. Apple should have patched these. Reminds me of Meltdown and Spectre.

Right. Apple has been known to do this. Researchers have published POCs months after the vulnerabilities still not being patched. Apple doesn’t realize this is how people make a living.

Once they publish the POCs, Apple patches the vulnerabilities within a day.

 

[Apple Knowledge Navigator]

Have they patched the other FLOP?
Think it’s called Apple Intelligence.

 

[canadianreader]

Maybe we can have Apple Intelligence write a patch! What could go wrong? 😁

No thanks 😆

 

[centauratlas]

"Here's what I found on the web"

"I'm sorry, I'm having trouble connecting to the internet right now."

 

[hajime]

They're too busy fixing Apple Intelligence.

They are too busy scheming and diversifying product lineups to earn more profits.

 

[I7guy]

Of course it’s JavaScript that’s at the root of this.

 

[Qubelek]

"Based on our analysis, we do not believe this issue poses an immediate risk to our users." - OH FOR SURE!!! You have a gatekeeper who counts how many times each vulnerable have been used... B please.

secure software? Apple: "Naah, who cares" xD People want AI! ... do they really need it? I personally don't care about Apple Intelligence or any other AI. ChatGPT works fine and is more than enough for me.

 

[HobeSoundDarryl]

Maybe we can have Apple Intelligence write a patch! What could go wrong? 😁

"Siri write a patch for Slap and Flop exploits"
"I don't know what you mean by write a patch for Slap and Flop exploits. Here's what I found on the web..."

And wouldn't it be painfully ironic if one of the websites Siri found for user was one of the malicious ones designed to Slap or Flop us? We would basically be the people on the wrong end of the A.I. commercials, with Siri in the leading role of putting one over on us by using A.I. I can hear the climactic commercial music playing now... "I am genius!.. oh-oh-oh-oh-o"... and visual Siri breaking the 4th wall to grin/look at us as we are slapped or flopped.

 

[FoxyKaye]

Of course it’s JavaScript that’s at the root of this.

But they have such cute names! LOL

 

[coolfactor]

Of course it’s JavaScript that’s at the root of this.

Are you suggesting that JavaScript, as a technology, is the culprit?

This is a very low-level sandboxing issue. It doesn't matter what language or technology is employed at the higher level.

Scary stuff. Feels a bit irresponsible if they've known about this several months ago and haven't done anything until it makes headlines.

 

[JosephAW]

What?! Not the Intel chipset?

 

[I7guy]

Are you suggesting that JavaScript, as a technology, is the culprit?

Yes. Forget meltdown and specter JavaScript has been at the root of some vulnerabilities.

This is a very low-level sandboxing issue. It doesn't matter what language or technology is employed at the higher level.

But JavaScript is an enabler. Without JavaScript in the browser many vulnerabilities could not be delivered effectively.

Scary stuff. Feels a bit irresponsible if they've known about this several months ago and haven't done anything until it makes headlines.

Yeah. That’s another story.

 

[minik]

SLAP and FLOP? These are some interesting names.

'spy on the contents of other webpages, giving attackers remote access to browsing history, credit card data, emails, location information, and more.'

Well, we gave part of those data away to strangers or companies all the time already.

 

[thefrost]

Named SLAP

Maybe that's what Tim Cook needs /s

 

[seggy]

Of course it’s JavaScript that’s at the root of this.

I do not like what you have to say because it is inherently incorrect 🤡

 

[artifex]

Yet another reason Firefox should be allowed to bring its own engine to iOS/iPadOS for people outside the EU, too.

 

[seggy]

Yet another reason Firefox should be allowed to bring its own engine to iOS/iPadOS for people outside the EU, too.

I'm behind that, but this is more than likely not limited to Webkit. Or in fact, any browser. It's simply that Webkit was the attack vector they POC'd.