One more unpatched vulnerability on Apple M1 chip, users remain unaffected

By exploiting a hardware vulnerability of the Apple M1 chip, a hacker can perform a Pointer Validation attack. From there, they can execute speculatively leading to hijacking of arbitrary code execution on Mac computers. This is the second unpatched vulnerability found on the Apple M1 chip.

Pointer Validation is a security feature with the ability to add a cryptographic signature, known as pointer validation code (PAC) to pointers that allows the operating system to detect and block unexpected changes that may occur. may lead to data leakage or system intrusion.

The Pointer Validation attack was discovered by researchers at MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL). This new type of attack requires hackers to gain access to a Mac computer with an Apple M1 chip from which to exploit the vulnerability and then steal data.

To exploit the vulnerability, an attacker must first find a memory bug that affects software on the target Mac. This bug must be blocked by the PAC so that it can escalate into a more serious security issue after bypassing the PAC's defenses.

The researchers named this vulnerability PACMAN.

"PACMAN takes an existing software bug (read/write memory) and turns it into a more serious exploit (pointer validation bypass), which can lead to arbitrary code execution. To do this For this, we need to find out the PAC value for a specific pointer for each victim," the researchers explained.

"PACMAN does this by creating what we call an Oracle PAC. It has the ability to tell if a given PAC matches a specified pointer. The Oracle PAC should never encounter a problem. problem if an incorrect prediction is provided. Then we start to brute force all possible PAC values ​​using the Oracle PAC".

Although Apple can't patch the PACMAN vulnerability to prevent hackers from performing these exploits, the good news is that users don't need to worry at all if they keep their software up to date. If your system does not have any software bugs to exploit then PACMAN cannot be exploited.

"PACMAN by itself is not a technique that can compromise your system. Although the hardware mechanisms that PACMAN exploits cannot be patched with software features, memory errors can be handled. yes," the researchers said.

Often this type of attack will cause chaos in the kernel and cause the entire system to crash. However, PACMAN ensures that no system crashes occur and leaves no traces in the log.

Apple: Currently no threat to users

Since 2021, MIT CSAIL researchers have been in contact with Apple to discuss PACMAN. The findings of MIT, the method of test attack (PoC). have all been reported to Apple.

Apple says that this new side-channel attack does not pose a threat to Mac users because it needs to be combined with other valid vulnerabilities.

"We thank the researchers for their cooperation on the reports, PoC. which helped us to improve our understanding of these techniques. Based on our analysis as well as the details obtained by the researchers. Research shared, we concluded that this issue poses no immediate risk to our users and is not robust enough to bypass the protections present on the device," Apple said.

This is the second unpatched vulnerability discovered on the Apple M1 chip and as usual Apple says it does not affect users.