Flawed M-series chips

Bluecatdj wrote:

I bought a new MacBook Air M3 three weeks sho. What recourse do I have? Can I return it for a full refund?

No, you cannot return it for a refund after 14 days. The machine is not defective and the issue has very little real world implications for anyone. Researchers often find things like this that can only be exploited under very specific conditions, namely the evildoer has to have physical possession of your Mac and have the skill and knowhow to do it. You have no worries to be concerned with. Oh, and by the way, every platform on the planet has security issues.

100% wrong. Download the ARM version.

Honestly, where do you find such nonsense?

As usual, the press is overhyping the issue. Here's a much more level-headed article.

https://www.zetter-zeroday.com/apple-chips/

In short, nothing can happen unless the user installs software that can take advantage of the flaw. In other words, a Trojan. Nothing outside of the user allowing rogue software on their Mac can take advantage of the flaw.

Sometime back, there was a similar issue with Windows computers and certain Intel chips. Microsoft provided a software fix that blocked access to the flaw from within the OS. I would imagine Apple will come up with the same soft of fix.

Dsidi wrote:

Which means you can’t download ......node.js, visual studio code, ....

Pure bunk!!!

For one, node.js is nothing more than a library of javascript functions that a server will selectively deliver to ANY web browser for running a web page. A large percentage of web pages utilize node.js an work just fine in any Apple web browser whether it be Apple's own Safari, Google Chrome, Microsoft Edge, etc. and on any Mac be it Intel or Apple Silicon. As a matter of fact, I have just completed a project for a web page that used node.js!!!!

And for Visual Studio code, I am using it just fine on my M1 MacBook Air and it is native Apple Silicon code!!!!!!!!!

Hello~ You have 14 days to return it. Set up an appointment should you feel there is an issue…

Genius Bar Reservation and Apple Support Options - Apple

~Katana-San~

Yes, theoretically.

It’s also theoretically possible for an attacker to pull this off by embedding malicious code into Javascript on a web site so that when a computer with an M-series chip visits the site, the attacker’s malicious code can conduct the attack to grab data from the cache. The researchers didn’t test a web site attack, but Green says the scenario is plausible. It would also be a more concerning attack, he notes, because attackers could scale it to attack thousands of computers quickly.

They didn't do a test to see if such an attack could actually work, so nothing is really known about that yet.

What can you do? For the moment, if you're really concerned, you can turn JavaScript off in your browser's preferences. But, then a lot of the web won't work as expected. Beyond that, Apple will need to patch Safari against such a threat. The makers of Firefox, Brave, Chrome, etc. will need to do the same.

It's also one of those things where the chances you have to worry about it is very low. Especially if you typically only visit known, legitimately run web sites. P2P, file sharing, "free" movies and pirate sites? Then you're taking a chance.

msr8 wrote:

Article says there is possibility an attacker can use Java script in web pages as well to exploit this vulnerability.

If its possible then its concerning to me. Any suggestions on preventing this kind of attack?

Back in 2020 researchers found basically the same thing in Intel and AMD processors, an un-patchable flaw in the chips themselves that would require a redesigned chip to deal with it. The work around was the same then as it is now but would severely impact performance.

Bottom line? As happened then and now nothing ever came of it. Reading the headline “UN-PATCHABLE FLAW" is undeniably scary but must be taken in context.

Researchers constantly use the term “theoretically” to mean almost impossible.

From article you posted:

But real-world risks are low

To exploit the vulnerability, an attacker would have to fool a user into installing a malicious app, and unsigned Mac apps are blocked by default.

Additionally, the time taken to carry out an attack is quite significant, ranging from 54 minutes to 10 hours in tests carried out by researchers, so the app would need to be running for a considerable time.

Bluecatdj wrote:

“Researchers have discovered a new unpatchable security flaw that can break encryption on the best MacBooks if exploited by an attacker.

As reported by 9To5Mac, this recently discovered vulnerability affects every Mac running Apple silicon including the company’s M1, M2 and M3 chips. To make matters worse, the flaw is present in the architecture of these chips which means there’s no way for Apple to fix it outright”

So what’s your point?

Along the same lines …

Engadget – Researchers discover that Intel chips have an unfixable security flaw (March 6, 2020)

AMD And Intel CPUs Rocked By New Speculative Execution Attack With A Huge Performance Hit (July 13, 2022)

Article says there is possibility an attacker can use Java script in web pages as well to exploit this vulnerability.

If its possible then its concerning to me. Any suggestions on preventing this kind of attack?

The M3 chip can enable/disable data-independent timing feature, in which the processor completes certain instructions in a constant amount of time. Software that use Apple cryptographic routines will do this automatically. If apps implement there own cryptographic routines they need to do this themself via the Apple API. Apple updated some dev pages a few days ago timed with the public release of this vulnerability. Enable DIT for constant-time cryptographic operations

Maybe macOS updates are already out that address this for M3.

Kudos to those who discovered the flaw, but it probably is mostly a proof of concept flaw than any sort of potential risk in the real world. The same hype happened with the Intel and AMD Spectre Meltdown flaw that was similar. That never really amounted to all the hype either. As they say, if you look hard enough you can find flaws in any part of a computer system.

Apple doesn't confirm, or even talk about any security projects that may be in the works. Often, they don't even announce a fix when it's released. They just quietly become part of the next OS update.