When security researchers disclosed a series of major vulnerabilities impacting Intel processors back in January 2018, it was clear that “Meltdown” and “Spectre” were indeed serious — and wouldn’t be the only exploits of multi-threading chips. Now a new Intel chip vulnerability nicknamed “ZombieLoad” has been revealed to the public, and though it’s already being patched by three major operating system makers, there’s some bad news: full protection could reduce your CPU’s performance by up to 40%.
Referred to by the more technical name “Microarchitectural Data Sampling,” the ZombieLoad exploit enables an attacker to access privileged data across trust boundaries. In a cloud hosting environment, it could enable one virtual machine to improperly access information from another; researchers also showed that it could be used for app surveillance and password acquisition. The vulnerability broadly impacts operating systems that run on Intel chips, including Android, Chrome, Linux, macOS, and Windows.
In a just-published support document, Apple suggests that full ZombieLoad mitigation will require Intel chip users to disable Intel’s hyper-threading processing feature — a major selling point of the chipmaker’s CPUs. During testing this month, Apple says that it found “as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks,” though actual performance impacts will vary between machines.
Because of that steep performance drop, Apple has implemented a partial mitigation in macOS Mojave 10.14.5, leaving users to decide whether they want to disable hyper-threading for full protection. If so, the support document provides Terminal commands to turn the feature off and on, notably including a requirement that the machine boot in recovery mode to disable the chip feature.
Google and Microsoft (via TechCrunch) have also started the process of patching their Intel-based operating systems. In Google’s case, Chrome OS devices have already received some protections and will receive more in the next OS release; Intel-only Android devices are rare, but will receive OS patches once device makers deploy them. Microsoft is releasing patches for Windows today, and has already protected Azure users. Some microcode processor updates will come from Microsoft directly, and others from device makers.
The ZombieLoad issue was apparently disclosed to Intel one month ago, and impacts all Intel processors produced since 2011. Chips from AMD and ARM are not believed to be susceptible to this flaw. According to vendors, there are no known real-world exploits of the vulnerability at this point, though the researchers simply say that they don’t know if it’s been abused in the wild.
Update at 12:45 p.m. Pacific: An Intel page discussing the vulnerabilities downplays the performance impacts, suggesting that the performance impact is small: up to 3% without disabling hyper-threading, and up to 8-9% with hyper-threading disabled, though included charts show tinier changes using the latest, high-end Intel Core i9-9900K processors.
Intel underscores that disabling hyper-threading isn’t really necessary for some users: consequently, unless it’s necessary for a given customer’s workloads and security environment, it says that it’s “not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”