AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
A minor security vulnerability “baked into” Apple Silicon is giving a security researcher an avenue to poke fun at overly dramatic reveals and poor coverage of chip errata.
The flaw, dubbed “M1RACLES,” is a bug in the design of Apple’s M1 chipset that could potentially allow any two applications running under an OS to covertly exchange data between them without normal operating system features. It can’t be fixed without a silicon revision.
However, the person who discovered the flaw, reverse engineer and developer Hector Martin, said that Mac users shouldn’t be concerned about the flaw because it can’t really be used for anything nefarious. Martin even wrote a long FAQ section poking fun at “overhyped” vulnerability disclosures.
The vulnerability can’t be used to take over a computer or steal private information, and it can’t be exploited from Javascript on a website. Martin notes that it could be used to “rickroll” someone, but that there are plenty of other ways to do that.
If there’s a real danger to the flaw, Martin writes “if you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way.” However, it’s likely that malware could communicate in “plenty of expected ways anyway.”
“Really, nobody’s going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system,” wrote the author. “Covert channels can’t leak data from uncooperative apps or systems. Actually, that one’s worth repeating: Covert channels are completely useless unless your system is already compromised.”
In other words, the worst-case scenario is that malware on a user’s system could use the vulnerability to communicate with each other. By the time a Mac is that compromised, it’s likely that an attacker doesn’t need to use it anyway.
Despite not being a severe flaw, the bug is still a vulnerability because “it violates the OS security model.”
The goal of the webpage, however, was mostly to poke fun at “how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn’t mean you need to care.” Also, Martin said he wanted to play the song “Bad Apple!!” over a vulnerability video.
As far as why the flaw exists, Martin says an Apple engineer made a mistake. More specifically, Apple “decided to break the ARM spec by removing a mandatory feature, because they figured they’d never need to use that feature for macOS.” By removing that feature, Apple reportedly made it harder for existing operating systems to mitigate it.
The bug affects any operating system that can run on Apple Silicon, including iOS. It even has privacy implications on Apple’s mobile platform. For example, a malicious keyboard app could use the flaw to connect to the internet when it otherwise wouldn’t be able to. However, it would be trivial for the App Review process to catch the flaw.
Interestingly, the bug doesn’t work in virtual machines because correctly implemented hypervisors disable guest access to the underlying register. If the bug could work in virtual machines, “the impact would have been more severe.”
Martin said he discovered the bug while working on his primary project of porting Linux to the M1 CPU.
“I found something, and it turned out to be an Apple proprietary bug, instead of an Apple proprietary feature, that they themselves also weren’t aware of,” Martin wrote.
The vulnerability was reported to Apple’s product security team, who assigned it CVE-2021-30747.
Follow all the details of WWDC 2021 with the comprehensive AppleInsider coverage of the whole week-long event from June 7 through June 11, including details of all the new launches and updates.
Stay on top of all Apple news right from your HomePod. Say, “Hey, Siri, play AppleInsider,” and you’ll get latest AppleInsider Podcast. Or ask your HomePod mini for “AppleInsider Daily” instead and you’ll hear a fast update direct from our news team. And, if you’re interested in Apple-centric home automation, say “Hey, Siri, play HomeKit Insider,” and you’ll be listening to our newest specialized podcast in moments.
Apple’s Craig Federighi to present keynote at Web Summit 2021 next week
Apple SVP of Software Engineering Craig Federighi is scheduled to present a keynote presentation at this year’s Web Summit, which will be held in November in Lisbon, Portugal.
Twitter revenue largely unaffected by Apple privacy changes
As the social media sector bemoans Apple’s recently enacted iOS privacy protections, Twitter on Tuesday said the changes that require users to opt in to ad tracking had a lower than expected impact on ad revenue.
Applications open for next Apple Entrepreneur Camp
Apple on Monday opened applications for its next Entrepreneur Camp for Black, Hispanic/Latinx, and female founders, with sessions again set to take place online.
Compared: 16-inch MacBook Pro vs Lenovo Legion 5
Apple’s new MacBook Pro range is powerful, but how does it compare against a gaming notebook? Here’s how the 16-inch MacBook Pro fares against the Lenovo Legion 5 Apple used in its M1 Max benchmark tests.
Compared: 2021 16-inch MacBook Pro vs Dell XPS 17
As Apple introduces its updated designs of MacBook Pro to the world, some other notebook producers are arguably moving in Apple-like ways. Here’s how the latest 16-inch MacBook Pro compares to the Dell XPS 17.
Compared: 14-inch MacBook Pro vs MSI GP66 Leopard gaming notebook
Apple’s comparisons between the new MacBook Pro models and other high-performance notebooks used the MSI GP66 Leopard for some of its comparisons. Here’s how MSI’s notebook and the 14-inch MacBook Pro compare across a broader selection of features.
Compared: New AirPods versus AirPods Pro
Apple has launched a new generation of AirPods that borrow both the design and features of the AirPods Pro. But how do the third-generation AirPods compare to their Pro counterparts?
Compared: Google Pixel 6 vs iPhone 13 and iPhone 13 Pro
Google launched its new Pixel 6 lineup on Tuesday, with its smartphone range now sporting its own Tensor processor. Here’s how the search giant’s latest compares against Apple’s iPhone 13 and the iPhone 13 Pro.
Apple’s Craig Federighi to present keynote at Web Summit 2021 next week
Apple SVP of Software Engineering Craig Federighi is scheduled to present a keynote presentation at this year’s Web Summit, which will be held in November in Lisbon, Portugal.
Twitter revenue largely unaffected by Apple privacy changes
As the social media sector bemoans Apple’s recently enacted iOS privacy protections, Twitter on Tuesday said the changes that require users to opt in to ad tracking had a lower than expected impact on ad revenue.
Applications open for next Apple Entrepreneur Camp
Apple on Monday opened applications for its next Entrepreneur Camp for Black, Hispanic/Latinx, and female founders, with sessions again set to take place online.
Hands on: Should you buy the Nike or standard aluminum Apple Watch Series 7
If you’re pondering a new Apple Watch Series 7 purchase and are torn between the Nike and standard aluminum versions, check out this hands-on with a breakout of all the differences and our recommendation.
Compared: 14-inch MacBook Pro vs. 13-inch M1 MacBook Pro vs. Intel 13-inch MacBook Pro
The early M1 Pro and M1 Max MacBook Pro orders have arrived. Here’s how the new 14-inch MacBook Pro compares to the M1 13-inch MacBook Pro , and the last 13-inch Intel version.
Hands on with all the new features in iOS 15.1
Apple has released iOS 15.1 — as well as many other platform updates — and we are going hands on with all of the new features including SharePlay, camera enhancements, and more.
Hands on with the best new features in macOS Monterey
After months of public and developer beta testing, macOS Monterey is now widely available for download as a free update for many Mac users. We’ve been testing it for quite some time, and these are our favorite features of Apple’s newest release.
Compared: Apple Watch Series 7 versus Apple Watch Series 6 versus Apple Watch SE
Apple has unveiled the Apple Watch Series 7, but are its new features enough to tempt current Apple Watch SE or Apple Watch Series 6 owners? Here’s what you should know.
macOS Monterey review: A compelling refinement of Big Sur
A mixture of new features — not all of them available at launch — and a Snow Leopard-like refinement of existing ones make macOS Monterey an excellent upgrade.
Monolith TrueWireless Earphones Review: price isn’t everything
The Monolith TrueWireless Earphones compete with features and a lower price point, but Apple fans should stick to AirPods.
Flexi-Chair Oka Office Chair BS9 review: a boon for long work sessions
You know that you shouldn’t sit working for long periods at a time, but you’re still going to, and the Flexi-Chair Oka Office Chair BS9 stays comforting, and supporting, throughout.
Grovemade desk tray review: Premium desktop organization
If you keep a Mac or iPad at your desk, you really should keep the rest of the workspace organized, something Govemade’s latest desk tray accomplishes with an elegant design.
Woolnut Leather Tech Organizer review: A premium pouch for your go-to gear
Woolnut’s leather-wrapped Tech Organizer stays true to its name with copious pockets and straps to hold all of your essentials.