Just because a computer breach looks dramatic doesn’t mean it’s dangerous – Cyberwar

Hector Martin found a flaw in Apple’s famous M1. And rather than making a big deal out of it, he decided to make it an educational exercise on vulnerabilities.

Hector Martin discovered a vulnerability in thea puce M1, the processor put forward by Apple as one of the main selling points of the latest iMac and MacBook. Its find has everything to create a media storm as it concentrates popular keywords: fault, Apple, M1 and potentially, danger.

In addition, this flaw is actually irreparable. It lies in the physical constitution of the processor, that is to say that it would be necessary to remodel the silicon of the chip to correct it, and that a software patch would not be enough. M1s already on the market are therefore doomed to keep the vulnerability, and Apple will have to make changes in its production if it does not want it to affect its future computers.

In other words, the software engineer could have decided to present his discovery in a dramatic way: an irreparable flaw in Apple’s M1, which affects millions of people. But he preferred to show honesty and a lot of humor (well, computer engineer humor) in his publication: ” Just because the vulnerability has a dedicated site and is being talked about in the media doesn’t mean you should worry about it. »

The M1 is Apple’s new star. // Source: Numerama screenshot

Should we give a name to the vulnerabilities?

The media coverage of vulnerabilities always leads to a broad debate within the cybersecurity community. Some find that researchers are overdoing it by naming their vulnerabilities and exaggerating its potential consequences to gain attention. Others argue that it is a good way to warn the general public and force a massive update campaign, even if it means frightening a little too much.

To copy this operation with irony, Martin named his discovery M1RACLES, and created a logo and a dedicated site. His goal ? ” Poke fun at how ridiculous vulnerability reports have become touting lately. “So as not to leave any doubt about his parody, he defuses concerns from the first line of the site:” Should you be worried? Probably not. »

In 5 lines, the researcher sums up M1RACLES: the chip defect allows two applications to exchange data with each other at a deep level in the computer. This exchange can be done between two applications, launched by two different users with different levels of privileges, that is to say with different rights of access and modification on the computer. According to him, the flaw allows ” create a secret channel for the clandestine exchange of data “. But most likely it will not be exploited by cybercriminals.

“No one is going to exploit the loophole”

The limit is that this kind of secret channel is “Completely useless unless the system is already compromised “. In other words, the malware must already be on the computer to take advantage of it, and if so, it will likely have much more efficient means of manipulating or corrupting applications.

The researcher insists: vulnerability is not dangerous. // Source: Hector Martin

In an FAQ addressed to himself, Martin brushes aside all doubts – even the most delusional – about the capacities of vulnerability:

  • no, it does not allow you to take control of a computer;
  • no, it does not allow private information to be stolen;
  • no, a JavaScript cannot trigger it;
  • yes, it could be used for Rickroll someone (but there are easier ways to do it) …

In a pinch, he concedes that unscrupulous ad companies could use it, but again, they have far more efficient (and legal) ways to access data. In short, it would be a “crazy” scenario, in his own words.

But then, why publish his find? Well, because vulnerability, even if not very dangerous, is nonetheless rare and interesting from a technical point of view. Alerted earlier this year, Apple labeled the vulnerability, but has yet to express whether or not it will fix it. ” Someone on Apple’s silicon design team made a dumpling. It happens. Engineers are human », Concludes the researcher. Without consequence this time.

Photo credit of the one:
Hector Martin

About CyberGhost

CyberGhost, Cyberwarre’s exclusive advertiser, is a premium VPN provider at affordable prices. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. CyberGhost does not keep any record of user activity. Its VPN application is available on all operating systems and connected devices and is the easiest to access on the market.

Learn more about CyberGhost’s VPN solution

Share on social media

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button