circumstances

[daslicht]

can this exploid run without installing code on teh target machine? Or how else could that be a danger? please Or is there still a way to execute arbitary code from remote, wasn't that patched?

[Darival]

I always find it funny when news outlets take a vulnerability so out of proportion ignoring the fact that the attacker need to get access to your computer. don't get me wrong it is still a vulnerability and need to be addressed by apple but no need to throw away your m1 mac

[emilcondrea]

That's the main question!

Even if it does not require installation of malicious app, can the exploit be triggered from javascript that's executed when visiting malicious website? If that's true, is very bad! One way of exploiting this requires 2 steps 1) serving malicious js on public networks that require signin over http(eg. hotels, airports). 2) the attacker, being on the same network, monitors the encrypted traffic of the victim and through malicious js from 1) that still runs in the other tab, execute Gofetch attack to figure out the TLS keys, so it can completely hijack the victim.

There are a couple of sidechannel attacks that can be achieved from javascript, see Fantastic Timers and where to find them

[daslicht]

I always find it funny when news outlets take a vulnerability so out of proportion ignoring the fact that the attacker need to get access to your computer. don't get me wrong it is still a vulnerability and need to be addressed by apple but no need to throw away your m1 mac

Exactly what I thought, I ve read so much B$ on social media so I though to clear it out I just ask some profis here :) So you confirm, it is not possible via JavaScript over the internet?

[mevanloon]

In theory the exploit could run on WASM (low-level code in JS), since the exploit would supposedly ignore the sandbox that it's in. But I don't know enough about the low-level stuff to answer that.

[daslicht]

In theory the exploit could run on WASM (low-level code in JS), since the exploit would supposedly ignore the sandbox that it's in. But I don't know enough about the low-level stuff to answer that.

Related: https://www.forcepoint.com/blog/x-labs/webassembly-potentials-and-pitfalls https://github.com/stevespringett/disable-webassembly

So the question is: "How to disable WASM in Safari"

[gerrywastaken]

So as far as I know, browser vendors and others made timers less precise in an attempted mitigation against such attacks via javascript: https://v8.dev/blog/spectre#timer-mitigations

It wouldn't make sense for them to reintroduce the attack vector via WASM.

I just wonder if similar threading techniques to those mentioned in the gofetch paper could be used to work around the timer limitations in js/wasm. Interesting times.

[mevanloon]

@bl4zk0 They're the same architecture, basically the same chips.

But as noted on the homepage, Hector Martin found a chicken bit that disables DMP, so it can be patched.