Security breaches and vulnerabilities are a daily part of our lives now. After all, there’s always going to be someone poking around in software and hardware to see how they can get in. It’s especially bad when those vulnerabilities affect hardware, and more importantly, your hardware. A newly-surfaced vulnerability seems to affect basically every popular GPU model out there.
Researchers from four American universities have uncovered a new security threat dubbed “GPU.zip” that exploits modern graphics cards, including those from major manufacturers like AMD and NVIDIA (as well as others like Apple, ARM, and Qualcomm), to leak sensitive visual data when users visit web pages. This vulnerability, despite being disclosed to manufacturers in March 2023, remains unpatched as of September 2023.
So how does the vulnerability work? At the heart of the GPU.zip vulnerability is data compression, a technique used to save memory and enhance performance. However, this compression process occurs automatically in most modern graphics cards, even when dealing with sensitive data, and it is often not well-documented. This compression can be exploited to steal pixel data from users, by isolating and converting pixels into binary colors on cross-origin web pages and applying specialized SVG filter stacks to create textures.
In simpler terms, an attack using this vulnerability is done by sort-of playing around with the colors in the pictures on a website and seeing how long it takes to change the colors. And by measuring the time taken to render these textures, they could infer the original color, or state, of the target pixel, thus revealing potentially sensitive stuff such as usernames.
The severity of the GPU.zip attack is significant, affecting a wide range of devices, including laptops, smartphones, tablets, and desktop PCs. However, not all graphics cards are equally vulnerable, and the attack’s complexity and time requirements somewhat mitigate its immediate impact. Additionally, websites that disallow cross-origin iframe embedding are not susceptible to this type of attack. It’s worth noting that Firefox and Safari browsers are not as susceptible to GPU.zip because they do not meet all the criteria necessary for the attack to be successful, lacking features such as the ability to load cross-origin iframes with cookies.
So realistically, chances are that this won’t affect you — it requires a lot of probing around for a hacker to actually do something with this. Still, it’s an issue that exists, and one that has been known for a long time. It might be that this is the reason why GPU makers haven’t really fixed this yet. It’s not known when, or if, this will be fixed.
Source: Bleeping Computer