Apple to Patch Web Browser Vulnerabilities Affecting Recent Macs, iPads and iPhones

[Unregistered 4U]

"we do not believe this issue poses an immediate risk to our users." That may have been true but now that it was published in the two papers that Bleeping links to I would suspect that would change. Apple should have patched these. Reminds me of Meltdown and Spectre.

It reminds you of those because they’re all “exploits”, but what’s needed to implement this, introduces several other levels of additional steps which means it’s highly unlikely for this to be put into action.

And, most importantly for malicious actors, they’re not looking for the way to exploit users that most impresses security researchers. If there’s an easier, or more importantly quicker way (less than the 5-10 minutes required) to exploit someone, they’re going to use that, which would also decrease the likelihood of this being used in the wild.

 

[TracesOfArsenic]

Have they patched the other FLOP?
Think it’s called Apple Intelligence.

They're trying, it's called VisionOS 2

 

[locovaca]

So we’re almost a decade out from Spectre and Meltdown and we’re still making the same mistakes in CPU design.

 

[I7guy]

Yet another reason Firefox should be allowed to bring its own engine to iOS/iPadOS for people outside the EU, too.

Oh joy. Another attack vector.

 

[buggz]

Serious question:
Will the patch introduce a reduction in processor power?
My guess is yes, and probably measurable.

 

[orangeadrenaline]

Cool, my laptop and phone are too old to be affected. This is a problem for those new, hip kids. Reckless I tell ya.

 

[Unregistered 4U]

Oh joy. Another attack vector.

Hey, the EU has found that it’s anticompetitive for Apple to maintain its security. Apple needs to allow opportunities for other companies, like CrowdStrike, to literally take down EVERY iPhone in the world via a mistake. If Apple can do it, other companies need to be able to as well.

 

[Unregistered 4U]

Cool, my laptop and phone are too old to be affected. This is a problem for those new, hip kids. Reckless I tell ya.

I guarantee you that there’s a LOOOOOONG list of exploits on older machines that will no longer be patched. Just don’t let anyone touch it as most of the exploits require physical access.

 

[bousozoku]

I'm behind that, but this is more than likely not limited to Webkit. Or in fact, any browser. It's simply that Webkit was the attack vector they POC'd.

It was always first to fall in pwn2own because it's fragile.

I wonder if we had browsers on iOS/iPadOS that didn't use Safari innards, if this would be a problem.

 

[EricOSU]

This is kinda funny because intel had a similar issue a few years back. I believe a kernel fix was put in place on windows machines that ultimately slowed processing time. Clearly no one learns from past mistakes.

 

[cyanite]

"we do not believe this issue poses an immediate risk to our users." That may have been true but now that it was published in the two papers that Bleeping links to I would suspect that would change. Apple should have patched these. Reminds me of Meltdown and Spectre.

Unfortunately, such side channel attacks against various speculative execution can never be completely prevented, without not having speculative execution. It can be mitigated in various ways, typically by scarifying some performance.

 

[Unregistered 4U]

and the attack can be executed through a malicious site that bypasses Apple's browser protections.

So, first someone has to go to a site that bypasses Apple’s browser protections and THEN they have to stay there without touching anything for 5-10 minutes. So, everyone, just keep working at your normal speed.

It’s a security risk that can only be replicated in the safe confines of a security researcher’s lab. So, stay away from security researcher labs.

 

[johnalan]

Have they patched the other FLOP?
Think it’s called Apple Intelligence.

Disclosed a year ago. JFC.

 

[artifex]

Oh joy. Another attack vector.

If they're targeting webkit vulnerabilites in a web browser but I'm using gecko in mine, I might not be affected. Conversely, if they're targeting gecko and you're running webkit instead, it might not affect you. They have to target vulnerabilities in each to affect us both. And you won't even have gecko unless you download it.

 

[johnalan]

These vulnerabilities aren’t at a “Safari” level. They are very serious and at a micro architecture level.


This is significant and Apple needs address them.

 

[johnalan]

So we’re almost a decade out from Spectre and Meltdown and we’re still making the same mistakes in CPU design.

No this is completely different.

 

[MacMan988]

We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," Apple said. "Based on our analysis, we do not believe this issue poses an immediate risk to our sheep."

Apple wants to spend their time building more gimmicky AI features to sell more devices than spending time fixing security holes.

 

[throAU]

"we do not believe this issue poses an immediate risk to our users." That may have been true but now that it was published in the two papers that Bleeping links to I would suspect that would change. Apple should have patched these. Reminds me of Meltdown and Spectre.

Depends how practical they are to exploit. A theoretical vulnerability isn't always practical to use in reality.

 

[Howard2k]

"we do not believe this issue poses an immediate risk to our users." That may have been true but now that it was published in the two papers that Bleeping links to I would suspect that would change. Apple should have patched these. Reminds me of Meltdown and Spectre.

Hi AI, please write me a script to leverage SLAP and FLOP”. 😂

 

[Javert24601]

No this is completely different.

Maybe the technique/exact vulnerability is different, but when Spectre was discovered, people were talking about the vulnerabilities of speculation. So, the weakness of this approach was already known. Thinking that "Apple's approach" was without vulnerability was simply foolhardy hubris. Apple will be hit with a class action lawsuit. Whoever thought this was a "good approach" should be held responsible and fired.

 

[Reason077]

When will these get patched is the question.

It might have to wait for a few more months, until the summer interns arrive.

 

[TechnoMonk]

Serious question:
Will the patch introduce a reduction in processor power?
My guess is yes, and probably measurable.

Why would it reduce processing power?

 

[johnsawyercjs]

So, first someone has to go to a site that bypasses Apple’s browser protections and THEN they have to stay there without touching anything for 5-10 minutes. So, everyone, just keep working at your normal speed.

What, we can't even get up to take a snack or a bathroom break?

 

[johnsawyercjs]

And wouldn't it be painfully ironic if one of the websites Siri found for user was one of the malicious ones designed to Slap or Flop us?

"Siri, you just infected my computer with the SLAP exploit!"

"I thought you might be better informed about the problem if you witnessed it first hand. If you prefer, would you like me to direct you to a web page that has the FLOP exploit instead?"

"NO NO NO!!"

"I'll take that as a yes. I am now automagically directing you to a web page that is guaranteed to do the job."

 

[svish]

Not nice to hear about these vulnerabilities. Very serious issue. Wonder why a fix has not been rolled out till now. Hopefully Apple fixes it immediately.