Home iOS When is a cybersecurity hole not a hole? Never

When is a cybersecurity hole not a hole? Never


In cybersecurity, one of the more challenging issues is deciding when a security hole is a big deal, requiring an immediate fix or workaround, and when it’s trivial enough to ignore or at least deprioritize. The tricky part is that much of this involves the dreaded security by obscurity, where a vulnerability is left in place and those in the know hope no one finds it. (Classic example: leaving a sensitive web page unprotected, but hoping that its very long and non-intuitive URL isn’t accidentally found.)

And then there’s the real problem: in the hands of a creative and well-resourced bad guy, almost any hole can be leveraged in non-traditional ways. But — there is always a but in cybersecurity — IT and security pros can’t pragmatically fix every single hole anywhere in the environment.

As I said, it’s tricky.

What brings this to mind is an intriguing M1 CPU hole found by developer Hector Martin, who dubbed the hole M1racles and posted detailed thoughts on it.

Martin describes it as “a flaw in the design of the Apple Silicon M1 chip [that] allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange. The vulnerability is baked into Apple Silicon chips and cannot be fixed without a new silicon revision.”

Martin added: “The only mitigation available to users is to run your entire OS as a VM. Yes, running your entire OS as a VM has a performance impact” and then suggested that users not do this because of the performance hit.

Here’s where things get interesting. Martin argues that, as a practical matter, this is not a problem.

“Really, nobody’s going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication—e.g. cache stuff—on every system. Covert channels can’t leak data from uncooperative apps or systems. Actually, that one’s worth repeating: Covert channels are completely useless unless your system is already compromised.”

Copyright © 2021 IDG Communications, Inc.


  1. Hey very nice web site!! Man .. Beautiful .. Amazing .. I will bookmark your web site and take the feeds also…I’m happy to find numerous useful information here in the post, we need develop more techniques in this regard, thanks for sharing. . . . . .

  2. I do consider all of the concepts you have introduced for your post. They’re really convincing and will definitely work. Nonetheless, the posts are very brief for newbies. May just you please extend them a little from next time? Thanks for the post.

  3. Hi, i read your blog from time to time and i own a similar one and i was just curious if you get a lot of spam remarks? If so how do you stop it, any plugin or anything you can suggest? I get so much lately it’s driving me mad so any support is very much appreciated.

  4. This is a very good tips especially to those new to blogosphere, brief and accurate information… Thanks for sharing this one. A must read article.

  5. I keep listening to the rumor lecture about receiving boundless online grant applications so I have been looking around for the finest site to get one. Could you tell me please, where could i acquire some?


Please enter your comment!
Please enter your name here