New 'ZombieLoad' Vulnerability Affects Intel Chips Dating Back to 2011, Apple Released Patch in macOS 10.14.5 [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, May 14, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Security researchers have discovered a new set of vulnerabilities that affect Intel chips dating back to 2011, including the chips that have been used in Apple devices.

    As outlined by TechCrunch, "ZombieLoad," as it's being called, consists of four bugs that can allow hackers to exploit the design flaws in the chips to steal sensitive information directly from the processor.

    [​IMG]

    These vulnerabilities are as serious as the Meltdown and Spectre vulnerabilities that were discovered in early 2018 and take advantage of the same speculative execution process, which is designed to speed up data processing and performance.

    A white paper shared by notable security researchers (including some who worked on Spectre and Meltdown) offers details on how ZombieLoad functions. [PDF]
    ZombieLoad impacts almost every Intel computer dating back to 2011, but AMD and ARM chips are not affected. A demonstration of ZombieLoad was shared on YouTube, displaying how it works to see what you're doing on your computer. While spying on web browsing is demoed, it can also be used for other purposes like stealing passwords.


    There have been no reports of hackers taking advantage of the ZombieLoad vulnerabilities at this time, and Intel has released microcode for vulnerable processors. Apple addressed the vulnerability in the macOS Mojave 10.14.5 update that was released yesterday and in security patches for older versions of macOS that were also released yesterday.
    An Apple support document on the ZombieLoad vulnerability provides details for "full mitigation" protection that can be enabled for customers with computers at heightened risk or that run untrusted software on their Macs.

    Full mitigation requires using the Terminal app to enable additional CPU instructions and disable hyper-threading processing technology, which is available for macOS Mojave, High Sierra, and Sierra, but not on certain older machines. Apple says full mitigation could reduce performance by up to 40 percent, so most users will not want to enable it.

    According to Intel, its microcode updates will have an impact on processor performance, but for the patch that Apple released in macOS Mojave 10.14.5, there was no measurable performance impact. Apple's fix prevents the exploitation of ZombieLoad vulnerabilities via JavaScript in Safari.
    As mentioned above, customers who enable Apple's full mitigation option will indeed see processor slowdowns because of the need to disable hyper-threading.

    One of the researchers who discovered ZombieLoad, Daniel Gruss, told TechCrunch that ZombieLoad is easier to exploit than Spectre, but more difficult than Meltdown, and that it requires a specific set of skills, which means the average person doesn't need to worry.

    Update: This article previously said that Apple would release a patch, but it has been updated to clarify that Apple addressed the issue in security updates made available to Mac owners yesterday. Customers running Mojave should update to macOS 10.14.5, while customers running older versions of macOS should install any available security updates.

    Article Link: New 'ZombieLoad' Vulnerability Affects Intel Chips Dating Back to 2011, Apple Released Patch in macOS 10.14.5 [Updated]
     
  2. now i see it macrumors 68040

    Joined:
    Jan 2, 2002
    #2
    A 2010 Mac Mini running El Capitan is looking pretty good right about now
     
  3. elvisimprsntr macrumors 6502

    Joined:
    Jul 17, 2013
    Location:
    Florida
    #3
    Still waiting for new silicon from Intel before a new hardware purchase.
     
  4. Bustycat macrumors regular

    Bustycat

    Joined:
    Jan 21, 2015
    Location:
    Kaohsiung, Taiwan
  5. Santabean2000 macrumors 68000

    Santabean2000

    Joined:
    Nov 20, 2007
    #5
    Between all these issues and the delays, I’m just hanging out for A-Series Macs at this point.

    Intel to the curb; Windows be damned.
     
  6. kcslc macrumors member

    Joined:
    Aug 30, 2018
    #6
    My next hardware build will be AMD. Their Zen 2 is just looking way too sweet and only looks better as more issues with Intel pops up. (Then let’s consider the cost.)
     
  7. jclardy macrumors 68040

    jclardy

    Joined:
    Oct 6, 2008
    #7
    With all these speculative execution patches, the iPad Pro is soon to take the lead from the top end MBPs.
     
  8. Bustycat macrumors regular

    Bustycat

    Joined:
    Jan 21, 2015
    Location:
    Kaohsiung, Taiwan
    #8
    Or Apple should just switch to Ryzen.
     
  9. Larsvonhier macrumors 6502

    Larsvonhier

    Joined:
    Aug 21, 2016
    Location:
    Germany, Black Forest
    #9
    Some people have either totally forgotten about what Snowden taught us all or are just feeding the propaganda machine.
    Otherwise, quote "and that it requires a specific set of skills, which means the average person doesn't need to worry" cannot be explained.
     
  10. BGarza macrumors member

    BGarza

    Joined:
    May 11, 2016
    Location:
    San Francisco
    #10
    I wonder if extreme, unusual, and public punishments could help deter these types of hacks. Imagine how people would feel if every other year a new nefarious portal appeared in people’s homes allowing criminals to do as they please. Would it make sense to hire a portal security guard for every home, replace your home each time with a newer model, or just slice off all prized appendages of those found guilty?
     
  11. BittenApple macrumors 6502a

    BittenApple

    Joined:
    Nov 29, 2008
    #11
    Doesn't mean it cant happen on a large scale.
     
  12. BlargKing macrumors 6502

    BlargKing

    Joined:
    Apr 17, 2014
    Location:
    NewBrunswick, Canada
  13. dannyyankou macrumors 604

    dannyyankou

    Joined:
    Mar 2, 2012
    Location:
    Scarsdale, NY
    #13
    I don’t want apple to be dependent on any company. Their A series chips are really best of the best, I’m sure they can make a great PC chip as well.
     
  14. Larsvonhier macrumors 6502

    Larsvonhier

    Joined:
    Aug 21, 2016
    Location:
    Germany, Black Forest
    #14
    You are aware that most of that would apply to your (or my) government "hackers" (so called security agencies) ?
    --- Post Merged, May 14, 2019 ---
    And the correlation to the intel processor "situation" is exactly what?
     
  15. Bustycat macrumors regular

    Bustycat

    Joined:
    Jan 21, 2015
    Location:
    Kaohsiung, Taiwan
    #15
    But almost everything within an Apple device is dependent on other companies.
     
  16. dannyyankou macrumors 604

    dannyyankou

    Joined:
    Mar 2, 2012
    Location:
    Scarsdale, NY
    #16
    But when it comes to the A series chips, while another company manufactures them, apple designs them.
     
  17. MauiPa macrumors regular

    Joined:
    Apr 18, 2018
    #17
    How much of a settlement are we getting from intel? #zombiegate
     
  18. GeoStructural macrumors member

    Joined:
    Oct 8, 2016
    Location:
    Colombia
    #18
    A-series chips are also prone to vulnerabilities, Mac OS is in a yearly increase of malware attacks too. No one is safe nowadays, it is not even about “being careful where you click” anymore, now companies specialize in exploiting every single vulnerability or hole to track, read data or manipulate.

    I don’t think it is Apple’s, Intel’s or Window’s fault anymore, they actually do a good job of trying to be ahead.

    And the believe that iOS is the most secure system is total BS, restrictive yes, but it is just as bit as vulnerable as any other. I hate that apps go through such lengthy “review” process that is just garbage, but there are many in the AppStore tracking us without consent and stealing our information without the geniuses at Apple stopping them.

    Many years ago my app was rejected “because it made no use of iPhone’s features”... and it was approved just after I added a shaking feature, total stupidity, meanwhile apps go through the process with malicious intentions hidden and these guys don’t even know until news go viral and they “act swiftly to remove them”.
     
  19. iReality85 macrumors 6502a

    Joined:
    Apr 29, 2008
    Location:
    Upstate NY
    #19
    Intel just can't catch a break.

    AMD is looking more and more likely for my next PC build in a couple years from now.
     
  20. cmaier macrumors G5

    Joined:
    Jul 25, 2007
    Location:
    California
    #20
    As a CPU designer who formerly had to compete with Intel and it’s hyperthreading microarchitectures, I am retroactively glad we didn’t go that way. It always seemed like sharing buffers between threads opened up way too many opportunities for mischief unless you put in a lot of extra hardware to zero-out every memory structure between context switches, and that would probably eliminate any speed benefit anyway.
     
  21. jonnysods macrumors 603

    jonnysods

    Joined:
    Sep 20, 2006
    Location:
    There & Back Again
  22. ksec macrumors 6502a

    Joined:
    Dec 23, 2015
    #22
    This is a **** show.

    We got Meltdown, Spectre, ForeShadow and now this. I still remember there were lots of warning and questions over Intel's SMT ( Hyperthreading ) when it arrive and they promised everything were FUD.

    By 2019 Xmas, when 10nm arrive on shelf we would be 5 years since Intel launched their 14nm, which was already a year / 6-8 months late depending on how you view it. That is assuming they haven't lie again with 10nm as they have been all the way along.

    They purchased Infineon in 2010 and completed the deal in early 2011, for 5 - 8 years all they had was the pile of crap to show in iPhone 7, iPhone 8 and now iPhone XR...

    Right now I really wish I have nothing to do with Intel. I don't want an iPhone or any Apple products to have a single dollar worth of material going to Intel.

    For backward compatibility reason I still wish Mac would stick to x86, and would be nice if they use Ryzen or EPYC for Mac.
     
  23. dogslobber macrumors 68040

    dogslobber

    Joined:
    Oct 19, 2014
    Location:
    Apple Campus, Cupertino CA
    #23
    Does this mean my 2011 iMac is still vulnerable?
     
  24. maverick28 macrumors regular

    Joined:
    Mar 14, 2014
    #24
    Sure, don't worry. Really, no hacker attacks are known to target this "vulnerability". It's just big daddies want you to move on to new tech sooner than you do. The average person doesn't have to worry, indeed. Except when his devices are made "incompatible".

    P.S. YouTube today started crashing my Safari, released in the late 2016. Certain videos on Vimeo stopped playing despite their minimal requirements which my browser meets. Old, you say? But every other site opens and loads perfectly, and more so it does in more obsolete versions of Chrome which, quite unsurprisingly, is a Google product. Yeah, let's talk about "vulnerabilities".
     
  25. hermes16 macrumors member

    Joined:
    Jan 17, 2019
    #25
    I think Apple will migrate to the ARM before a Ryzen processor.
     

Share This Page

80 May 14, 2019