When we see reports about security vulnerabilities in software or hardware, it is often difficult to assess the danger of the vulnerability. A classification by experts such as CVE or BSI is not always available.
At first glance, the vulnerability M1RACLES or CVE-2021-30747, which the developer Hector Martin presented on 27 May 2021 claiming that it affected all M1 CPUs from Apple, seemed very dangerous.
A design flaw in Apple’s M1 chip could enable two apps from iOS or macOS to exchange data directly, which should not be possible according to the security concept of the system.
The error is also a little reminiscent of the well-known security deficiencies of Intel-CPUS, known as Meltdown and Specter.
Martin is working on porting Linux to the M1 platform as part of the Asahi Linux project and discovered the error during this project. A sample program has been published on Github, and a small sample video has also been published on YouTube. Apple has been informed, but the error is based on a hardware error – hardware errors are complicated and often difficult to fix – which makes the correction impossible.
This sounds bad, but in reality the error is quite harmless, as the blog Naked Security judges. Jailbreaking is not possible, nor is an app able to access the data of another app. Two malware programs would have to get onto an Apple device in order for this vulnerability to be usable – and then this security vulnerability would be a comparatively minor problem.
The error has been extensively reported, but the danger has been rated higher than appropriate. Indeed many of the journalists fell into a trap laid by the developer. As Martin states in the FAQ on his website, his intention was to make fun of news sites with a name like M1RACLES: “Poking fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn’t mean you need to care.”
This article originally appeared on Macwelt. Translation by Karen Haslam.