Hacker News new | ask | show | jobs
by junek 500 days ago
OK, fun. What can we do to mitigate this until it gets patched?
3 comments
omcnoe 500 days ago
Serious answer, don't use Safari. Use a browser that properly separates webpages into isolated processes so that this kind of cross-site read is not possible.
link
goldsteinq 500 days ago
There’re no other browsers on iPhone. Every iPhone browser is a reskin of Safari. They’re in theory supposed to allow other browsers in the EU, but AFAIK it has not happened yet.
link
prmoustache 500 days ago
Then don't use an iPhone until it is patched.
link
hashstring 499 days ago
What about turn JS off on your favourite iOS browser?
link
prmoustache 499 days ago
That wouldn't prevent possible malware apps using WKWebview from getting out of the jail they are running out right?
link
hashstring 499 days ago
Yes, I agree.

However I also expect that Swift-compiled apps can do this without a web browser component.

It’s a different threat model though, having installed a malicious app vs browsing a malicious site.

link
tholdem 499 days ago
No need to turn JS off. Turn on Lockdown mode which disables Javascript JIT and WASM, which might be enough
link
saagarjha 498 days ago
It’s not.
link
walterbell 498 days ago
Brave on iOS can limit Javascript to trusted sites.
link
jmkni 499 days ago
So could this hypothetically open a mail client on your iPhone and read your emails?
link
saagarjha 498 days ago
No, it doesn’t do cross-address space attacks.
link
ragnot 500 days ago
God I hate Apple sometimes
link
amelius 500 days ago
Will that work? Isn't memory treated in a unified way between processes, at some point?
link
saagarjha 500 days ago
Processors are not supposed to speculate across ASIDs
link
goldsteinq 500 days ago
It will work unless someone forgets to add a public suffix into the public suffix list (as described in the FLOP paper). Both of these attacks target virtual memory pointers.
link
thijsr 500 days ago
From the FAQ:

> While FLOP has an actionable mitigation, implementing it requires patches from software vendors and cannot be done by users. Apple has communicated to us that they plan to address these issues in an upcoming security update, hence it is important to enable automatic updates and ensure that your devices are running the latest operating system and applications.

link
hmottestad 500 days ago
I wonder if Lockdown Mode would help?
link
dmitrygr 499 days ago
IIRC, it disables jit and webassembly, so i think yes
link