on Chromium they should state. its a combo of GPU and the app failing to isolate cross-domain data.. leaking it.
Firefox is not vulnerable.. just chrome/edge, etc.
this post was submitted on 30 Sep 2023
166 points (97.7% liked)
Technology
70847 readers
3665 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Too bad this is not included in the title (or subtitle) !
chromium is used in a lot of things.
While true, that's not the message here. While chromium is in a lot of things, browsers for everyday use (like banking etc.) is a huge part. You can't control what services you rely on use as a basis for their software, but you can absolutely not use the software and/or opt for the website instead.
If you can reduce your exposure to that vulnerability by a large fraction by simply switching browsers with equivalent experience, it should absolutely be mentioned. In fact, it could even be seen as an obligation/core purpose of news outlets.
Including steam
Not my pixels!
MINE
Our
Firefox ftw!!!
For GPU.zip to work, a malicious page must be loaded into the Chrome or Edge browsers. Under-the-hood differences in the way Firefox and Safari work prevent the attack from succeeding when those browsers process an attack page.
Lol, amazing.
This is the best summary I could come up with:
The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.
“We found that modern GPUs automatically try to compress this visual data, without any application involvement,” Yingchen Wang, the lead author and a researcher at the University of Texas at Austin, wrote in an email.
Most websites restrict the cross-origin embedding of pages displaying user names, passwords, or other sensitive content through X-Frame-Options or Content-Security-Policy headers.
All of the GPUs analyzed use proprietary forms of compression to optimize the bandwidth available in the memory data bus of the PC, phone, or other device displaying the targeted content.
The insights yielded a method that uses the SVG, or the scalable vector graphics image format, to maximize differences in DRAM traffic between black and white target pixels in the presence of compression.
Our proof-of-concept attack succeeds on a range of devices (including computers, phones) from a variety of hardware vendors with distinct GPU architectures (Intel, AMD, Apple, Nvidia).
The original article contains 832 words, the summary contains 181 words. Saved 78%. I'm a bot and I'm open source!
GPUs from all six of the major suppliers
Wait, what? Six? There's AMD, Nvidia, and Intel. Who are the other three? Are they counting mobile chips made by Apple, Qualcomm, and Samsung as GPUs?
On top of my head there is AMD, Nvidia, Intel, ARM, Qualcomm, Broadcom, Apple. Samsung licenses their GPU's from ARM and AMD as far as I know. Also why wouldn't you count the other manufacturers? There are certainly more ARM IP GPU's in use than AMD and NVIDIA and Apple is probably up there too, especially with the M1 and M2 launch.
Does VIA still make onboard GPUs?
Yeah for Zhaoxin, but that's for the chinese market.
The attack works on GPUs provided by Apple, Intel, AMD, Qualcomm, Arm, and Nvidia.
Even new(ish) GPUs from Apple. Sounds like a flaw in the product category, not just certain implementations.