New Apple Processor Flaws Exposed: A Threat to User Privacy in Web Browsers

Listen to this Post

2025-01-28

A recent discovery by a team of security researchers has revealed critical vulnerabilities in modern Apple processors, which could lead to serious privacy breaches. These flaws, found in Apple’s processors starting from the M2 and A15 generations, allow attackers to exploit side-channel vulnerabilities to extract sensitive information from web browsers like Safari and Chrome. The flaws stem from faulty speculative execution, a mechanism aimed at speeding up processing by guessing future instructions. These mispredictions leave traces in memory that can be used for malicious purposes.

The researchers from the Georgia Institute of Technology and Ruhr University Bochum presented their findings in two separate papers: FLOP and SLAP. These attacks are remotely executable through a malicious webpage, meaning users can be exploited simply by visiting a compromised site. Despite the research being disclosed to Apple in 2024, these vulnerabilities remain unmitigated at the time of writing.

Overview of FLOP and SLAP Attacks

The FLOP attack targets the newer M3, M4, and A17 processors by exploiting a faulty mechanism that guesses both memory addresses and the data stored within them. If the guesses are wrong, the CPU uses incorrect data for calculations, and attackers can access sensitive information through cache timing attacks. Examples of what can be accessed include email headers from Proton Mail, Google Maps location history, and private iCloud events.

On the other hand, SLAP affects the M2 and A15 models. Instead of predicting memory values, it focuses on predicting the next memory address. By manipulating the CPU’s training process, attackers can force it to access secret data that it then processes before realizing the mistake, allowing attackers to infer sensitive information. This can expose data such as Gmail inbox information, Amazon browsing history, and Reddit activity.

Real-World Implications

The most concerning aspect of these vulnerabilities is that they can be executed remotely. No malware or physical access is required; attackers can simply lure victims into visiting a malicious website. This means that security mechanisms like browser sandboxes and traditional memory protections, such as Address Space Layout Randomization (ASLR), can be bypassed. Until Apple provides a fix, users can mitigate the risk by disabling JavaScript, though this would severely impact browsing functionality.

What Undercode Says:

The emergence of the FLOP and SLAP vulnerabilities highlights critical gaps in the security of Apple’s latest processors, something that should be a major concern for both consumers and developers. While speculative execution has allowed processors to improve performance significantly over the years, it has also introduced a major attack vector that bad actors are quick to exploit.

From a security standpoint, these side-channel vulnerabilities exploit a fundamental flaw in how modern processors predict memory usage. The issue becomes clear when we realize that the processors are not merely predicting the memory address but also trying to guess the actual data that will be accessed. This introduces the possibility for data leakage if the predictions go awry. In a perfect scenario, the CPU would never make such mistakes, but the reality is far more complicated. Mispredictions create a window of opportunity for attackers to extract data while the processor attempts to correct its errors. This means that sensitive data, such as login credentials, personal information, or browsing activity, can leak without any direct interaction with the user’s device.

One of the key concerns here is the remote exploitability of these attacks. Previous attacks like Spectre and Meltdown required physical proximity or complex setups, but the FLOP and SLAP flaws can be triggered by simply visiting a compromised website. This greatly increases the scale of potential attacks, as it bypasses the need for sophisticated malware or phishing schemes. For everyday users, the consequences could range from exposing sensitive emails to leaking private calendar events or even providing access to location data.

The fact that these attacks can bypass standard security measures, such as browser sandboxing and ASLR, is especially alarming. It suggests that, despite years of advancing browser and operating system security, these fundamental processor flaws have remained undetected or unaddressed. Since Apple’s response indicates that no immediate threat is perceived, it is uncertain how soon users can expect a fix. While Apple’s claim that no “immediate risk” exists may be reassuring, it is unlikely to calm the concerns of privacy-conscious users who rely on their devices for personal and professional matters.

Furthermore, the potential for exploitation through simple web browsing means that millions of users could be affected globally, with no specific action needed beyond visiting a malicious page. This starkly contrasts with traditional malware that requires some form of user interaction, like downloading a file or clicking on a link. The simplicity and remote nature of these attacks make them particularly dangerous, especially when coupled with the fact that Apple has not yet released a security update.

Until Apple releases a patch, disabling JavaScript or using other restrictive measures might be the only way to mitigate this issue. However, this would significantly impair web browsing functionality, as JavaScript is essential for most modern websites to function. This creates a tough choice for users who want to stay secure without losing the full web experience.

In conclusion, while the FLOP and SLAP vulnerabilities offer attackers a new method of stealing sensitive data, they also highlight a broader issue in modern computing: the delicate balance between performance and security. It will be interesting to see how Apple addresses these flaws, but until a solution is provided, users must remain cautious and informed about the risks associated with these vulnerabilities.

References:

Reported By: Bleepingcomputer.com
https://stackoverflow.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image