Thursday, May 27, 2021

Clickbait security hole?

No comments:
“Unpatchable” vuln in Apple’s new Mac chip – what you need to know
By Paul Ducklin,

Apple’s brand new Mac has a security hole, right inside the processor itself!

The official name for the bug is CVE-2021-30747, but the developer who discovered it prefers to call it M1RACLES, all in caps.

Like every BWAIN (our own impressive name for bugs with impressive names, short for Bug With An Impressive Name), it has a personalised domain, a logo and a website where you can learn all about it.

The finder of the bug, Hector Martin, writes on the website that:

The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.

... the bug name M1RACLES expands, rather tortuously, as:

M1ssing Register Access Controls Leak EL0 State

It turns out that Apple’s M1 chip includes a CPU system register known, ineffably, as s3_5_c15_c10_1.

According to Hector Martin, this register can be read from by userland programs running at EL0, though he doesn’t know what the register is actually used for, if anything.

However, userland programs aren’t supposed to be able to write into it, given that it’s a system register and supposedly off-limits to EL0 programs.

But Martin discovered that userland code can write to just two individual bits inside this register – bits that are apparently otherwise unused and therefore might be considered unimportant or even irrelevant...

... and those bits can then be read out from any other userland program.

And that’s it!

That, in a nutshell, is the entirety of the “baked-in” security vulnerability CVE-2021-30747, also known as M1RACLES.
...
There’s nothing that you can do, but fortunately there’s nothing you need to do, so you can relax.

Clearly, if it is possible to access a register you're not supposed to have access to, it's a bug that must be fixed and I suppose it technically counts as a security vulnerability but does this really require creating an entire Internet domain and web site to advertise it?

Sounds like click-bait to me.

Tuesday, May 25, 2021

Sophos: Apple patches dangerous security holes, one in active use – update now!

No comments:
Apple patches dangerous security holes, one in active use – update now!
By Paul Ducklin,

... security patches that arrived in the update to iOS 14.6, because Apple fixed 38 significant bugs, covered by 43 different CVE bug numbers.

For what it’s worth, the update to macOS Big Sur 11.4 shared many of those bugs with iOS, as well as adding a raft of its own, with 58 significant bugs patched, covered by 73 different CVE bug numbers.

Perhaps even more importantly, one of the Big Sur bugs that was patched, now dubbed CVE-2021-30713, is a security flaw that is already known to criminals and has already and quietly been exploited in the wild.

Time to update your phone again...

Thursday, May 20, 2021

Product announcement: Carbon Copy Cloner version 6

No comments:
CCC 6 is here! Faster backups, better accountability, Dark Mode, and so much more
by Mike | May 19, 2021

We've had so many new features in the oven for a while, and now we're finally ready to share it with the world! CCC 6 offers unprecedented accountability for your backups and insight into what's changing on your Mac, plus a brand new file copier that's faster, smarter, and designed to adapt to Apple's fast pace of OS and filesystem innovation.

Take a look at what's new in CCC 6:

The core CCC backup features you know and love are now better than ever!

I never buy any software that is version x.0, but after there have been a few updates to fix the inevitable new-release bugs, I plan on upgrading. At $20 (to upgrade from version 5), it's really a no-brainer.

The most important feature for me is the faster file copier and the use of Apple's FSEvents API to eliminate the need to read every file on the computer in order to determine what's changed since the last backup.

Disclaimer: I do not work for Mike Bombich. I'm just a happy user of Carbon Copy Cloner and I wanted to share the news of a new release with those who may also be interested.

Wednesday, May 19, 2021

Fierce Telecom: Learn the No. 1 reason some Americans don't use the internet

No comments:
Learn the No. 1 reason some Americans don't use the internet
By Roger Entner

The U.S. Government, through the NTIA, has been surveying internet usage since 2001. Since 2009, it has also been surveying reasons for not using the internet. Of all the studies that are currently under consideration to be used to justify the broadband stimulus plan, the government’s own NTIA Internet Use Survey, which was done before the conception of the plan, is the most unbiased and insightful. As universal internet access is a foregone conclusion in the current debate, the reasons why people are not using the internet have been reduced to just two factors — lack of availability and cost — when there is a lot more to the story.
...
What is the number one reason why Americans are not connected to the internet?

I know it is hard to believe that 13% of Americans are just not interested or do not need to use the internet, especially to those of us who live and die by the internet and are ultra-connected. No matter how much we spend on a national broadband plan to provide access to broadband internet or how much we subsidize internet access, when people don’t see the need or are just not interested, adoption numbers are not going to go up substantially.

Almost half of the 13% of Americans who are not interested in the internet are age 65 or older. A third is between 45 and 65 years of age, a surprising 1/6th is between 25 and 44 and an unsurprisingly low 2% is age 15 to 24. Another remarkable finding from the NTIA survey is that there is no significant ethnic or gender difference among people who are not interested in using the internet. There is also no statistically significant difference between people in urban and rural areas who don’t see a point in using the internet.

13% of Americans are not using the Internet because they see no need for it or just don't want to.