Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

New 'ZombieLoad' Vulnerability Affects Intel Chips Dating Back to 2011, Apple Released Patch in macOS 10.14.5 [Updated]

lightning finge

macrumors newbie
Oct 31, 2008
7
6
macOS 10.14.4, and the check says I'm upto date, :mad:

Manage to get it to see the update after 5 mins, now 10.14.5 ;)

Apple go ARM all in, intel x86 and x64 have reached the limit, the CISC is proving to be a thorn in its side preventing it to make it into smartphones and other issues

RISC has been proven the right choice after all, and ARM invented by Acorn a UK company will go down in history inventing the CPU that runs the world, and others like Intel, MOS, Motorola, Zilog tried but in the end they can only be one ARRRRRMMMM

have you never heard of RISCV? its coming, you'll see.
arm don't own the RISC concept.
 
Comment

smirking

macrumors 68030
Aug 31, 2003
2,626
2,291
Silicon Valley
For backward compatibility reason I still wish Mac would stick to x86, and would be nice if they use Ryzen or EPYC for Mac.

Totally unrelated train of thought coming down the tracks here... What you said reminded me of how old Atari ST computers handled software compatibility with Macs. You could get emulators that plugged into the cartridge port that would allow you to run Mac software if you had Mac ROMs to plug into the cartridge.
 
Comment

GordonGekko999

macrumors 6502
Mar 6, 2009
386
63
I'm glad that you can optionally enable full mitigation. I'd rather run at maximum speed with issues, since these attacks don't really affect my home machines at all.

Can someone explain to the amateurs what is the actual threat, the Macrumors article failed to report how these security holes could be exploited. I realize it is all theory since no known exploits are in the wild but how could the hackers utilize this?

Do they need physical access to our home computers? Do we need to click a link? Please further explain, thank you.
 
Comment

gnasher729

macrumors P6
Nov 25, 2005
17,391
4,621
A 2010 Mac Mini running El Capitan is looking pretty good right about now
From theregister.com: "Unfortunately for Apple customers with older Macs, Intel has not made microcode fixes available for Mac models from 2010 or earlier.". It's not that you don't need to patch the problem, it's that you can't.
[doublepost=1557909840][/doublepost]
Can someone explain to the amateurs what is the actual threat, the Macrumors article failed to report how these security holes could be exploited. I realize it is all theory since no known exploits are in the wild but how could the hackers utilize this?

Do they need physical access to our home computers? Do we need to click a link? Please further explain, thank you.
They don't need physical access, but they need to run code on your computer. If you have a Mac used by a single user, and a hacker can run his software under that user, then all data of that user is compromised, with or without that attack. So your risk hasn't really increased - if a hacker can run their code on your single user Mac, anything that is important to you is at risk anyway.

What this attack adds is that _other_ users on the same machine are also compromised. So if your kids download software that they shouldn't in _their_ user account, it's not just their account that is compromised, it's yours as well.

But where it is really bad is for servers. You may have a server with ten virtual machines running. These virtual machines should be safe from each other. If one installs malware on one virtual machine, then obviously that machine is compromised but the other nine would be fine. With this exploit, they are all compromised. And if ten people installed virtual machines on the server, there is the risk that one of them actually installs this on their machine intentionally.

PS. "Run code on your computer" happens when you run JavaScript in your browser. So Apple has some specific code in the browser to stop this from happening. All these exploits rely on extremely precise timing, and Apple interferes with that timing when running JavaScript.
 
  • Like
Reactions: Val-kyrie
Comment

pika2000

Suspended
Jun 22, 2007
5,587
4,899
I’m sure internally, Apple couldn’t wait to dump intel. From late delivery of chipsets, tick tick tock product cycle, the recent modem debacle, and now this, Apple is probably counting down their days with intel. Luckily for intel Tim Cook seems to be a more diplomatic CEO. Jobs probably would’ve shoehorned Apple’s own Ax chip on Macs quite early just to piss at intel (just like how they adopted the early 32-bit only intel core Duo chips to transition from power PC).
 
  • Like
Reactions: Val-kyrie
Comment

gnasher729

macrumors P6
Nov 25, 2005
17,391
4,621
So, anything older than 2011 are safe?

No. Everything older than 2011 cannot be patched.
[doublepost=1557910168][/doublepost]
Not really. This, like Spectre and Meltdown, are Intel specific. You can get a modern CPU without these vulnerabilities. Not in a Mac, but you can get Windows and Linux computers running on ARM, and pretty much anything that isn't a laptop, desktop, or server is going to be using ARM.
The exact exploits don't work on ARM. Doesn't mean ARM doesn't have similar problems, only that nobody has publicly demonstrated them.
 
Comment

cerberusss

macrumors 6502a
Aug 25, 2013
919
357
The Netherlands
As a CPU designer who formerly had to compete with Intel

Did you work on PC hardware meant for consumers? Or was it for more specialized embedded stuff?

Also, I often wonder whether Intel is solely to blame here. Shouldn't kernel developers have started to get suspicious about this kind of stuff as well?
 
Comment

LordVic

macrumors 603
Sep 7, 2011
5,561
12,091
Time to switch to Ryzen I think...

While I've done this at home,

as someone who runs a bank data centre? This is just not something that's terribly reasonable right now. Though, would be a nice.

But holy crap, Intel. WHUT R U DOIN. we cannot afford to have constant security holes, nevermind 15-20% reported data centre performance hits from this fix.
 
Comment

cmaier

macrumors Core
Jul 25, 2007
19,717
20,639
California
Did you work on PC hardware meant for consumers? Or was it for more specialized embedded stuff?

Also, I often wonder whether Intel is solely to blame here. Shouldn't kernel developers have started to get suspicious about this kind of stuff as well?

I worked at AMD.
[doublepost=1557925102][/doublepost]
But what is the likelihood of similar, as-of-yet undiscovered flaws in the ARM (and/or AMD) architecture, I wonder?

Slim. This current threat seems to rely on hyperthreading.
 
Comment

BlargKing

macrumors 6502
Apr 17, 2014
469
821
NewBrunswick, Canada
While I've done this at home,

as someone who runs a bank data centre? This is just not something that's terribly reasonable right now. Though, would be a nice.

But holy crap, Intel. WHUT R U DOIN. we cannot afford to have constant security holes, nevermind 15-20% reported data centre performance hits from this fix.

Yeah the last year theres been all these security issues mostly with Intel CPUs, and a lot of the time it affects almost a decades worth of CPUs. Doesn't give me much faith that if I upgrade with another Intel CPU that there won't be issues in the future. Ryzen is 90% of the performance of a similar Intel CPU at 50% of the price. Theres not much good argument for buying an Intel CPU as a consumer or even prosumer right now.
 
  • Like
Reactions: iAssimilated
Comment

LordVic

macrumors 603
Sep 7, 2011
5,561
12,091
Yeah the last year theres been all these security issues mostly with Intel CPUs, and a lot of the time it affects almost a decades worth of CPUs. Doesn't give me much faith that if I upgrade with another Intel CPU that there won't be issues in the future. Ryzen is 90% of the performance of a similar Intel CPU at 50% of the price. Theres not much good argument for buying an Intel CPU as a consumer or even prosumer right now.

I've moved AMD at home a little while back (only way to get 8 cores for reasonable price)

But work/office/datacentre is really not so easy. Such infrastructure upgrades are few and far between and are extremely costly. In addition, server / infrastructure vendors don't seem to want to provide many options for AMD.

Then there's potential compatibility issues with AMD vs INtel. While rare, can severely hamper a migration off Intel.

last year I upgraded our core database application server. There were no reasonable AMD offerings that suited the requirements from our vendors. In addition, our DB engine platform told me "we don't validate on AMD so use at own risk"... which is unfortunately something I cannot risk given the nature of our business.

But for home users? Right now I build and recommend AMD options. The only time I can really recommend current Intel lineup is if you're looking for the absolutely maximum and 100% best throughput (or at least up till these bugs get patched).

For gaming for example, AMD is what? 90% of the performance for 50% the cost? or somthing similar. But if you NEED that 10% difference for some reason. Intel is still the best option.
 
Comment

Blackwell

macrumors member
May 10, 2012
91
99
Northern California
Not really. This, like Spectre and Meltdown, are Intel specific. You can get a modern CPU without these vulnerabilities. Not in a Mac, but you can get Windows and Linux computers running on ARM, and pretty much anything that isn't a laptop, desktop, or server is going to be using ARM.

So weird that Macs, once the only place you could escape from Intel to, are now the only place where you're forced to use Intel.

I love my Raspberry Pi.
My server is powered by Raspberry Pi - very happy!
 
  • Like
Reactions: ArtOfWarfare
Comment

Woochoo

macrumors 6502
Oct 12, 2014
456
305
(Then let’s consider the cost.)

Ryzen is already way cheaper in every tier (2-4-8-16 cores). With the IPC increase that leaks put it around 10-13% plus clock speed increase, Ryzen will have better single core performance (the only lead Intel had till now).

At this point I can say for sure FU Intel, I'm building my next tower with Zen 2.

Edit: oh, forgot to mention the bribe try Intel pulled to make VU University Amsterdam hide all this stuff instead of making it public. I see intel hasn't change that much since they were bribing OEMs to only use their CPUs instead of AMD's ones.
 
Comment

GordonGekko999

macrumors 6502
Mar 6, 2009
386
63
From theregister.com: "Unfortunately for Apple customers with older Macs, Intel has not made microcode fixes available for Mac models from 2010 or earlier.". It's not that you don't need to patch the problem, it's that you can't.
[doublepost=1557909840][/doublepost]
They don't need physical access, but they need to run code on your computer. If you have a Mac used by a single user, and a hacker can run his software under that user, then all data of that user is compromised, with or without that attack. So your risk hasn't really increased - if a hacker can run their code on your single user Mac, anything that is important to you is at risk anyway.

What this attack adds is that _other_ users on the same machine are also compromised. So if your kids download software that they shouldn't in _their_ user account, it's not just their account that is compromised, it's yours as well.

But where it is really bad is for servers. You may have a server with ten virtual machines running. These virtual machines should be safe from each other. If one installs malware on one virtual machine, then obviously that machine is compromised but the other nine would be fine. With this exploit, they are all compromised. And if ten people installed virtual machines on the server, there is the risk that one of them actually installs this on their machine intentionally.

PS. "Run code on your computer" happens when you run JavaScript in your browser. So Apple has some specific code in the browser to stop this from happening. All these exploits rely on extremely precise timing, and Apple interferes with that timing when running JavaScript.

Thank you for responding, but what are the most likely ways for an attacker to run code on your computer, is it still the traditional ways one can be infected by malware?
 
Comment

JamieLannister

macrumors 6502
Jun 10, 2016
377
972
This is why Apple must ditch Intel CPU as soon as possible.

Lol, and go with what cpu? It's not that simple. You have contract obligations and millions of current intel spec'ed hardware to support. You don't just go ok, I'll go with your competition instead. We're not talking about a few hundred PC's.

If they were to migrate away from Intel CPU hardware, Tim Crook would've had this in his "upcoming pipeline" ages ago. The fact these hardware flaws keep showing up for Intel CPU's tells you how badly designed Intel CPU's are in general.

I would take a processor that is a bit slower than a fast one that has constant new exploits being found any day. This would hurt the server business more than any consumer cpu upgrade. If they are business smart they would contract out with AMD (lower cost contracts vs intel) and I'm sure you would also get lower thermals than these constant throttling Intel CPU garbage.

But we have a bean counter at the helm and so we end up here today with a half performance laptop for 2x the price all thanks to Intel.
 
Comment

mavericks7913

Suspended
May 17, 2014
812
281
Lol, and go with what cpu? It's not that simple. You have contract obligations and millions of current intel spec'ed hardware to support. You don't just go ok, I'll go with your competition instead. We're not talking about a few hundred PC's.

If they were to migrate away from Intel CPU hardware, Tim Crook would've had this in his "upcoming pipeline" ages ago. The fact these hardware flaws keep showing up for Intel CPU's tells you how badly designed Intel CPU's are in general.

I would take a processor that is a bit slower than a fast one that has constant new exploits being found any day. This would hurt the server business more than any consumer cpu upgrade. If they are business smart they would contract out with AMD (lower cost contracts vs intel) and I'm sure you would also get lower thermals than these constant throttling Intel CPU garbage.

But we have a bean counter at the helm and so we end up here today with a half performance laptop for 2x the price all thanks to Intel.

lol Apple is already preparing for the migration from Intel to ARM for laptop series. AMD Ryzen is available so I have no idea what you are talking about. Both of them are x86 and already compatible.
 
Comment

LordVic

macrumors 603
Sep 7, 2011
5,561
12,091
lol Apple is already preparing for the migration from Intel to ARM for laptop series. AMD Ryzen is available so I have no idea what you are talking about. Both of them are x86 and already compatible.
AMD wouldn't be a terrible choice overall to migrate to to keep x86 either. Apple is already using AMD GPU's. A move to AMD APU would bring consistency, and performance
 
Comment

Sabelonada

macrumors 6502
Aug 1, 2018
289
237
I worked at AMD.
[doublepost=1557925102][/doublepost]

Slim. This current threat seems to rely on hyperthreading.
What is the difference between the AMD and Intel implementations that makes Intel vulnerable?
 
Comment

cmaier

macrumors Core
Jul 25, 2007
19,717
20,639
California
What is the difference between the AMD and Intel implementations that makes Intel vulnerable?

We never had hyperthreading. When you have hyperthreading, you have a single core that pretends to be multiple cores. But to do that you have to switch back and forth between different threads. When you do that, you leave behind partial results from the old thread in various internal memory structures (buffers, registers, etc.). I don’t yet know the details of this new exploit, but it seems to me that if you aren’t careful, you can give away information from one thread to another because of this. Even if you are careful about zero’ing out these structures between threads, you can still give away information using side-channels. For example, a particular operation in thread B may complete 1 cycle faster if the last instruction run in thread A produced a positive number. Etc.

If instead of hyperthreading you have separate structures for each thread, you aren’t as efficient but you have very clean interfaces that you can guard between the threads.
 
Comment

mavericks7913

Suspended
May 17, 2014
812
281
lol Apple is already preparing for the migration from Intel to ARM for laptop series. AMD Ryzen is available so I have no idea what you are talking about. Both of them are x86 and already compatible.

Yeah, AMD can provide more cores and similar clock speed after 3rd gen release. Since Apple can optimize any parts, using AMD CPU wouldn't be a problem. Thunderbolt interface is the only issue.
 
Comment

mannyvel

macrumors 6502a
Mar 16, 2019
636
1,041
Hillsboro, OR
If instead of hyperthreading you have separate structures for each thread, you aren’t as efficient but you have very clean interfaces that you can guard between the threads.

From reading about all of these issues (from spectre/meltdown to now), it seems that Intel basically ignored access control while performing speculative execution for performance reasons. To me it looked like a design decision, because the speed loss of the mitigations basically removes the SE performance bump...and at that point what's the point of SE?

If anything, it shows that there's a definite market split between fast and insecure vs slower and more secure. My machines are basically single-user, so fast and insecure is fine (i3/i5/i7/i9). Server side (Xeons etc) need the more secure versions...or some server-side systems need more secure CPUs (VM) and some need less (DB).
 
  • Like
Reactions: Val-kyrie
Comment

cmaier

macrumors Core
Jul 25, 2007
19,717
20,639
California
From reading about all of these issues (from spectre/meltdown to now), it seems that Intel basically ignored access control while performing speculative execution for performance reasons. To me it looked like a design decision, because the speed loss of the mitigations basically removes the SE performance bump...and at that point what's the point of SE?

If anything, it shows that there's a definite market split between fast and insecure vs slower and more secure. My machines are basically single-user, so fast and insecure is fine (i3/i5/i7/i9). Server side (Xeons etc) need the more secure versions...or some server-side systems need more secure CPUs (VM) and some need less (DB).

In the end the problem will always be that if you are maximally efficient you inevitably leak information through side channels. I think back, for example, to a multiplier I designed. I designed it so it always took as few pipeline cycles as possible. That meant that depending on what you were multiplying, it might take 3, 4 or 5 cycles. Taking the minimum time necessary is good for performance. But doing that always leaks information - every time I multiply I can tell a little bit about the arguments to the multiplication without seeing the result. It’s a fairly harmless example (i hope), but that kind of thing is everywhere in CPU design. Access control can work perfectly well, but if I can time how long it takes for a thread to switch, and repeat that a billion times, eventually I can derive the private key. Etc.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.