ZombieLoad Attacks May Affect All Intel CPUs Since 2011: What to Do Now
Update 5:42 pm ET: Apple posted a support page with instructions on how to disable hyper-threading to fully protect your Mac from ZombieLoad, but warned that doing so could decrease performance by up to 40%. For more information, read our guide on how to disable the feature.
There's a good chance your laptop is powered by an Intel CPU. If so, then you'll need to update your computer immediately, after a class of vulnerabilities was discovered that allows attackers to steal data directly from your processor.
The so-called ZombieLoad bug and three related vulnerabilities were unearthed by some of the same researchers who brought the critical Spectre and Meltdown flaws into the spotlight, and it shares many similarities to those bugs.
ZombieLoad and its kin affect every Intel processor made since 2011, which means all MacBooks, a large majority of Windows PCs, most Linux servers and even many Chromebooks are in the crosshairs. The bugs can even be used on virtual machines in the cloud. But AMD and ARM chips do not appear to be affected by these latest flaws.
Intel, which calls this set of flaws Microarchitectural Data Sampling, or MDS, says select 8th Gen and 9th Gen CPUs are already protected against the flaw, and that all future CPUs will include hardware mitigation. (The researchers who discovered the flaws disagree with Intel and insist those chips are still affected.)
"Microarchitectural Data Sampling (MDS) is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable Processor Family," Intel said in an official statement.
How the Attacks Work
Like Spectre, Meltdown and several other flaws discovered since, these four new distinct attacks -- called ZombieLoad, Fallout, RIDL and Store-to-Leak Forwarding -- exploit weaknesses in a widely used feature called "speculative execution," which is used to help a processor predict what an app or program will need next in order to improve performance.
The processor speculates, or tries to guess, which requests for operations it will receive in the near future (i.e, the next few milliseconds). The processor carries out, or executes, those operations before they are requested in order to save time when the requests are actually made.
The problem is that by carrying out operations before they are actually needed, the CPUs put the results of those operations -- i.e., data -- in their own short-term memory caches. In various ways, Spectre, Meltdown and these latest four flaws all permit attackers to read that data directly from the processor memory caches. There's a technical breakdown of the four new attacks here.
An alarming proof-of-concept video shows how the ZombieLoad exploit can be executed to see which websites a person is viewing in real time. The vulnerabilities also open the door for attackers to nab passwords, sensitive documents and encryption keys directly from a CPU.
"It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them," Cristiano Giuffrida, a researcher at Vrije Universiteit Amsterdam who was part of the teams that discovered the MDS attacks, told Wired. "We hear anything that these components exchange."
Credit: Michael Schwartz/Twitter
Update Right Now
There is some good news. Intel, Apple, Google and Microsoft have already issued patches to fix the flaws. So have many makers of Linux distributions. But you're not out of danger until you've updated all of your Intel-based devices and their operating systems, which we strongly recommend doing right away. Read our guide on how to check for updates on your Mac or follow these steps to update your Windows 10 PC.
Intel admitted that the most recent security patches will impact CPU performance by up to 3% on consumer devices and up to 9% on data-center machines, and Google is disabling hyper-threading (a method that splits cores to increase performance) in Chrome OS 74 to mitigate the security risks. But don't let that dissuade you from manually forcing the update.
Apple posted a support page explaining that the only way to fully mitigate the flaw is to disable hyper-threading, but that by doing so, you risk decreasing system performance by a staggering 40%, according to internal testing. Most people won't need to take such extreme measures to protect their computers, but certain at-risk users, like government employees and business executives, might want want to take the precaution. If you fall into these groups or want extra reassurance, read our guide on how to disable hyper-threading on macOS (for Mojave, High Sierra and Sierra).
Unfortunately, researchers believe that vulnerabilities related to speculative execution will continue to surface far into the future. We can only cross our fingers that these flaws are quickly patched, but once they are, it's up to you to make sure your devices have all been updated to the latest, most secure versions.
- Meltdown and Spectre: How to Protect Your PC, Mac and Phone
- What Is a TPM? How This Chip Can Protect Your Data
- 9 Tips to Stay Safe on Public Wi-Fi