The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
Read original article
Ryan Pickren discovered a bug in visionOS Safari that allowed a malicious website to fill a user's room with animated 3D objects without permission. Apple fixed the bug (CVE-2024-27812) in June after Ryan reported it in February. The bug exploited an older web-based 3D model viewing standard, Apple AR Kit Quick Look, allowing websites to spawn objects in a user's space without consent. Safari did not enforce any permission model for this feature, enabling the automatic launch of 3D objects without user interaction. These objects persisted even after Safari was closed, requiring manual removal. Apple's security team initially focused on system crashes induced by the bug rather than its Spatial Computing implications. Ryan highlighted the need for a re-evaluation of Apple's threat model for Vision Pro, emphasizing the psychological impact of such vulnerabilities. Apple updated the CVE description following Ryan's blog post.
Related
Simple ways to find exposed sensitive information
Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.
Vulnerability in Popular PC and Server Firmware
Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.
Show HN: An App for Your Eyes
The "Eye Exercise: EyeYoga" app on the App Store by Maksym Skrypka offers visual acuity workouts, massages, and exercises to reduce eye strain. It includes a profile feature, timer, and in-app purchases for subscriptions. The app prioritizes vision improvement, emphasizes not replacing medical advice, and ensures user privacy.
I found an 8 years old bug in Xorg
An 8-year-old Xorg bug related to epoll misuse was found by a picom developer. The bug caused windows to disappear during server lock, traced to CloseDownClient events. Despite limited impact, the developer seeks alternative window tree updates, emphasizing testing and debugging tools.
Arbitrary shell command evaluation in Org Mode (GNU Emacs)
A vulnerability in Emacs Org mode allowed arbitrary shell command execution. A fix in Emacs 29.4 and Org 9.7.5 prevents unsafe code evaluation in link abbreviations, advising users to apply the patch.
6 comments“I never got the chance to invest, but now you can put my soul to rest…”
Or something similar to the above. How about an ex or prior trusted friend you’ve lost contact with.
The implications of this hack to bring untrusted entities to a trusted entity space is almost unfathomable.
> [Update: After reading my blog post, Apple updated the CVE description to something more sensible.]
I call BS :-P The new description is, "A logic issue was addressed with improved file handling." Equally as vague/misleading/sanitized. How many other bugs with ramifications that would make you squirm are downplayed in Apple CVE summaries?
Related
Simple ways to find exposed sensitive information
Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.
Vulnerability in Popular PC and Server Firmware
Eclypsium found a critical vulnerability (CVE-2024-0762) in Intel Core processors' Phoenix SecureCore UEFI firmware, potentially enabling privilege escalation and persistent attacks. Lenovo issued BIOS updates, emphasizing the significance of supply chain security.
Show HN: An App for Your Eyes
The "Eye Exercise: EyeYoga" app on the App Store by Maksym Skrypka offers visual acuity workouts, massages, and exercises to reduce eye strain. It includes a profile feature, timer, and in-app purchases for subscriptions. The app prioritizes vision improvement, emphasizes not replacing medical advice, and ensures user privacy.
I found an 8 years old bug in Xorg
An 8-year-old Xorg bug related to epoll misuse was found by a picom developer. The bug caused windows to disappear during server lock, traced to CloseDownClient events. Despite limited impact, the developer seeks alternative window tree updates, emphasizing testing and debugging tools.
Arbitrary shell command evaluation in Org Mode (GNU Emacs)
A vulnerability in Emacs Org mode allowed arbitrary shell command execution. A fix in Emacs 29.4 and Org 9.7.5 prevents unsafe code evaluation in link abbreviations, advising users to apply the patch.