Yesterday it came to light that that four new exploits named ZombieLoad make almost every chip Intel has made since 2011 vulnerable to attacks. ZombieLoad has some similarities to the Meltdown and Spectre bugs which surfaced last year. In this article we have more details on this fast moving story and information on the latest patches and updates available.
What Is ZombieLoad?
Its technical name is “Microarchitectural Data Sampling,” where the ZombieLoad exploit enables an attacker to access privileged data across trust boundaries. In a cloud hosting environment, it could enable one virtual machine to improperly access information from another; researchers also showed that it could be used for app surveillance and password acquisition. The vulnerability impacts any operating systems that run on Intel chips, including Android, Chrome, Linux, macOS, and Windows.
The good news is that to date this vulnerability has only been found as a proof of concept, there appears to be no evidence that it has been used maliciously yet. Daniel Gruss who is one of the researchers who discovered ZombieLoad told TechCrunch that ZombieLoad is easier to exploit than Spectre, but more difficult than Meltdown, and that it requires a specific set of skills, which means the average person doesn't need to worry. Nevertheless our advice is to install the appropriate patches and updates for your system.
Apple already has released fixes for every Mac and MacBook released during and after 2011. Apple has advised that anyone who is already running macOS Mojave 10.14.5 is already protected. Apparently the patch will prevent an attack from being run through Safari and other apps. Apple say that most users won’t experience any decline in performance, but in a detailed support document Apple do suggest that some Macs could face up to a 40% performance hit for those who opt-in to the full set of mitigations, covered in the support document.
In this fast moving story, in an update to an article on VentureBeat they refer to a later article from Intel in which they downplay the performance impacts, suggesting that the performance impact will be small: up to 3% without disabling hyper-threading, and up to 8-9% with hyper-threading disabled, though included charts show tinier changes using the latest, high-end Intel Core i9-9900K processors.
Intel also suggest that disabling hyper-threading isn’t really necessary for some users: consequently, unless it’s necessary for a given customer’s workloads and security environment, it says that it’s “not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”
MacRumors also report that an Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios.
The Apple security update is also available for Sierra and High Sierra Mac operating systems in the Security Update 2019-003, so check your Apple Updates in the App Store and Mojave users should update to 10.14.5 and Sierra and High Sierra users should use the Security Update 2019-003. Note that iPhones, iPads and Apple Watch devices aren’t affected by the bugs, because Arm processors are not affected by this vulnerability.
AppleInsider have now posted a new article regarding the 40% performance hit claims probably won’t affect most users.
“Unless the Mac is being used for highly secretive tasks, the user is a potential subject for hacking attempts by a sophisticated bad actor, or some other value-based reason, there isn't really a need to turn on the full mitigation. A source of AppleInsider within Apple corporate not authorized to speak on behalf of the company advised "The Mojave patch from Monday has robust protections for MDS vulnerabilities. If users feel that they are at a high-risk for related attacks, we've enabled the ability to turn off hyper-threading in total in Mojave, Sierra, or High Sierra." Unless you are a journalist investigating a rogue government's corruption, a person of interest to agents of espionage, dealing with state secrets, or something on a similar level, there is not really any benefit to using the full mitigations and sacrificing your Mac's performance. To nearly all of our readers, the update with fixes in Safari should be enough as it is to alleviate worries without going further.
Jeff Jones, a senior director at Microsoft, said that they have been “working closely with affected chip manufacturers to develop and test mitigations [for their customers]. We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips.”
Microsoft has already been pushing many of the microcode updates through Windows Update, but they are also available from their website. Microsoft has guidance for how to protect against the new attacks.
Microsoft has also announced that Azure customers are already protected.
In the recent article from AppleInsider, they also state that…
“Disabling Hyper-Threading will have the same impact on Windows systems too —which is why Microsoft doesn't advise it.”
Google has confirmed it has released patches to mitigate against ZombieLoad and a spokesperson for Amazon has confirmed its cloud service Amazon Web Services has been updated to prevent attacks.
It is good to see speedy responses to this latest vulnerability, coming from all the key players, and we can expect better solutions to follow as they develop better fixes.