Yet another vulnerability has been discovered in Intel processors dating back to 2011. The vulnerability, named ZombieLoad, is as serious as Spectre and Meltdown and affects all desktop and laptop devices using Intel processors, in addition to cloud servers and associated virtual machines. This presents an obvious threat to customers of cloud-based computing services where isolation from other customers’ virtual machines is critical.
The vulnerability is part of a new class of CPU attacks, brought to light by Spectre and Meltdown, known as transient execution attacks (PDF). Such attacks exploit a feature of modern processors known as speculative execution, which allows the processor to predict the outcome of a condition, executing the most likely instruction to resolve the condition. If the prediction is correct, performance is noticeably improved. If the prediction is incorrect, side-effects of the incorrect prediction can cause sensitive data to be retrieved from the CPU’s buffers. Attacks which take advantage of such side-effects are known as transient execution attacks.
Normally, applications are prevented from reading data from other processes running on the CPU. Transient execution attacks show that it is theoretically possible for applications to leak data across processes, privilege boundaries, Hyperthreads and between virtual machines. What this means for the user is that a malicious application could take advantage of this vulnerability and use it to read sensitive data from another application or process. Such data includes passwords, encryption keys, browser history and website content. The researchers who discovered the vulnerability have released a video demonstrating exploitation of this vulnerability to expose browser history in real-time.
Apple has released an update to macOS Mojave (10.14.5) which introduces fixes for ZombieLoad. This update allows users to optionally enable “full mitigation” protection, which disables the Hyperthreading feature of Intel CPUs. Unfortunately, Apple have stated that this may incur a performance penalty of up to 40% for multithreaded applications. Therefore, it is recommended that only customers at “heightened risk”, or those who run untrusted applications on their Mac should enable the full mitigation feature. Concerned users can find details of how to enable this mitigation feature here. Apple’s update also prevents malicious JavaScript from exploiting the ZombieLoad vulnerability via Safari even without enabling the full mitigation protection.
At the time of writing, there has been no code seen in the wild which actively exploits this vulnerability. Similarly, the researchers involved have not released exploit code. This means that average users are unlikely to be affected by ZombieLoad at this moment in time. Since it is possible for malicious JavaScript hosted on a website to exploit ZombieLoad, and as it is best practice in computer security, we recommend that Mojave users install Apple’s 10.14.5 update. Better yet, enabling automatic updates will allow security fixes such as this to be delivered to your Mac with minimal user input. As always, we recommend only installing applications from trusted sources and conducting regular scans with ClamXAV.
