Flawed M-series chips

As usual, the press is overhyping the issue. Here's a much more level-headed article.

https://www.zetter-zeroday.com/apple-chips/

In short, nothing can happen unless the user installs software that can take advantage of the flaw. In other words, a Trojan. Nothing outside of the user allowing rogue software on their Mac can take advantage of the flaw.

Sometime back, there was a similar issue with Windows computers and certain Intel chips. Microsoft provided a software fix that blocked access to the flaw from within the OS. I would imagine Apple will come up with the same soft of fix.

You clearly didn't look into any of this.

Yes, Ableton runs on an Apple Silicon Mac. And natively.

Yes, Steam runs on an Apple Silicon Mac. In this case, Steam is still Intel code only and must run through Apple's Rosetta 2. As the link notes, there may be some inconsistencies while playing a game that uses Steam. Send your complaints to Steam and ask them why they still don't have an Apple Silicon native version of their software. These chips have been around since November, 2020.

Yes, League of Legends runs on an Apple Silicon Mac. How can it not? It's on online game. All you need is a browser.

Look before making such baseless comments.

Hello~ You have 14 days to return it. Set up an appointment should you feel there is an issue…

Genius Bar Reservation and Apple Support Options - Apple

~Katana-San~

Along the same lines …

Engadget – Researchers discover that Intel chips have an unfixable security flaw (March 6, 2020)

AMD And Intel CPUs Rocked By New Speculative Execution Attack With A Huge Performance Hit (July 13, 2022)

Yes, theoretically.

It’s also theoretically possible for an attacker to pull this off by embedding malicious code into Javascript on a web site so that when a computer with an M-series chip visits the site, the attacker’s malicious code can conduct the attack to grab data from the cache. The researchers didn’t test a web site attack, but Green says the scenario is plausible. It would also be a more concerning attack, he notes, because attackers could scale it to attack thousands of computers quickly.

They didn't do a test to see if such an attack could actually work, so nothing is really known about that yet.

What can you do? For the moment, if you're really concerned, you can turn JavaScript off in your browser's preferences. But, then a lot of the web won't work as expected. Beyond that, Apple will need to patch Safari against such a threat. The makers of Firefox, Brave, Chrome, etc. will need to do the same.

It's also one of those things where the chances you have to worry about it is very low. Especially if you typically only visit known, legitimately run web sites. P2P, file sharing, "free" movies and pirate sites? Then you're taking a chance.

100% wrong. Download the ARM version.

Honestly, where do you find such nonsense?

From article you posted:

But real-world risks are low

To exploit the vulnerability, an attacker would have to fool a user into installing a malicious app, and unsigned Mac apps are blocked by default.

Additionally, the time taken to carry out an attack is quite significant, ranging from 54 minutes to 10 hours in tests carried out by researchers, so the app would need to be running for a considerable time.

Bluecatdj wrote:

I bought a new MacBook Air M3 three weeks sho. What recourse do I have? Can I return it for a full refund?

No, you cannot return it for a refund after 14 days. The machine is not defective and the issue has very little real world implications for anyone. Researchers often find things like this that can only be exploited under very specific conditions, namely the evildoer has to have physical possession of your Mac and have the skill and knowhow to do it. You have no worries to be concerned with. Oh, and by the way, every platform on the planet has security issues.

msr8 wrote:

Article says there is possibility an attacker can use Java script in web pages as well to exploit this vulnerability.

If its possible then its concerning to me. Any suggestions on preventing this kind of attack?

Back in 2020 researchers found basically the same thing in Intel and AMD processors, an un-patchable flaw in the chips themselves that would require a redesigned chip to deal with it. The work around was the same then as it is now but would severely impact performance.

Bottom line? As happened then and now nothing ever came of it. Reading the headline “UN-PATCHABLE FLAW" is undeniably scary but must be taken in context.

Researchers constantly use the term “theoretically” to mean almost impossible.

Dsidi wrote:

Which means you can’t download ......node.js, visual studio code, ....

Pure bunk!!!

For one, node.js is nothing more than a library of javascript functions that a server will selectively deliver to ANY web browser for running a web page. A large percentage of web pages utilize node.js an work just fine in any Apple web browser whether it be Apple's own Safari, Google Chrome, Microsoft Edge, etc. and on any Mac be it Intel or Apple Silicon. As a matter of fact, I have just completed a project for a web page that used node.js!!!!

And for Visual Studio code, I am using it just fine on my M1 MacBook Air and it is native Apple Silicon code!!!!!!!!!

satcomer wrote:

Java is NOT compatible on Modern Mac (all silicon)!

You don't know what you're talking about.

Java is a programming language. One that's designed specifically to have very few implementation dependencies, meant to let programmers "write once, run anywhere." There's nothing saying that you cannot implement it on an Apple-Silicon-based Mac.

Oracle – Java Downloads

Oracle provides JDK 17, 21, and 22 implementations both for Intel (x64) Macs and for Apple Silicon (ARM64) ones. You just have to select the right implementation for your machine.

Like the security flaw in BSD Unix that was over 25 years old before it was discovered.

https://www.zdnet.com/article/25-year-old-bsd-bug-found-and-fixed/

Apple doesn't confirm, or even talk about any security projects that may be in the works. Often, they don't even announce a fix when it's released. They just quietly become part of the next OS update.

The M3 chip can enable/disable data-independent timing feature, in which the processor completes certain instructions in a constant amount of time. Software that use Apple cryptographic routines will do this automatically. If apps implement there own cryptographic routines they need to do this themself via the Apple API. Apple updated some dev pages a few days ago timed with the public release of this vulnerability. Enable DIT for constant-time cryptographic operations

Maybe macOS updates are already out that address this for M3.