Apple’s Safari browser is still vulnerable to Spectre attacks, according to a recent study conducted by researchers from Ruhr University Bochum, in collaboration with Georgia Tech and the University of Michigan. Despite efforts to address the hardware vulnerability since 2018, the study reveals that both Mac and iOS systems, especially when using Safari, are still at risk.
The Spectre attack exploits a feature of modern microprocessors called speculative execution, which optimizes CPU performance. It allows the CPU to execute instructions out of order, predicting which instructions will be needed next and starting their execution before it is certain they will be used.
The Spectre attack exposed a fundamental vulnerability in the hardware architecture of modern processors, potentially compromising sensitive data. Although countermeasures were implemented by manufacturers, the study suggests that these measures may not provide sufficient protection.
The project, led by Professor Yuval Yarom from Ruhr University Bochum’s Cluster of Excellence “Cyber Security in the Age of Large-Scale Adversaries” (CASA), along with researchers from Georgia Tech and the University of Michigan, will present their findings at the Conference on Computer and Communications Security (CCS).
To execute the identified “iLeakage” attack, attackers must first direct users to a website under their control. Users are advised to be cautious and only interact with trustworthy sites. Once a user visits the attacker’s website, the attacker can access the user’s email app or navigate to other websites, such as the user’s bank login page.
The research team also discovered that if the auto-fill option is enabled, attackers could automatically access login data stored in password managers like LastPass, potentially compromising supposedly secure passwords.
The vulnerability in Apple’s Safari browser stems from the operational principle of modern CPUs, which execute instructions concurrently. This speculative execution method accelerates processing but may initiate instructions even when conditions for their execution are uncertain. These discarded processes leave traces, creating an exploitable vulnerability for attackers to extract sensitive memory data.
Although protective measures have been integrated into web browsers to counteract this form of side-channel attack, the researchers showed that they could bypass these defenses in Safari, opening a second web page in the same process and allowing attackers to intercept information that should have been unattainable.
It is essential for users to be aware of these vulnerabilities and take precautions when using Safari or interacting with websites. Manufacturers and developers should also continue working on improving security measures to protect users’ sensitive data.
© 2023 TECHTIMES.com All rights reserved. Do not reproduce without permission.
I have over 10 years of experience in the cryptocurrency industry and I have been on the list of the top authors on LinkedIn for the past 5 years. I have a wealth of knowledge to share with my readers, and my goal is to help them navigate the ever-changing world of cryptocurrencies.
