There’s a new speculative execution vulnerability that impacts Mac devices. And like past vulnerabilities in the same vein, it has a scary-sounding name: ZombieLoad.
But it’s easy to get lost in the media whirlwind covering ZombieLoad, particularly since you may not know how or why it could be dangerous to you.
- Apple To Issue Fixes for ‘Spectre’ Chip Flaw Within Days
- Spectre Patch Can Slow Down iOS, Safari Performance (And What You Can Do About It)
- Apple Releases Meltdown Security Fix for Sierra and El Capitan
With that in mind, here is everything you need to know about ZombieLoad and other speculative execution vulnerabilities — including how to protect yourself.
What is ZombieLoad?
ZombieLoad, or the Microarchitectural Data Sampling (MDS) vulnerability, is a serious security flaw discovered within Intel’s chipset architecture. More specifically, it’s a speculative execution vulnerability — much like the similarly named Spectre and Meltdown security flaws discovered in 2018.
Speculative execution vulnerabilities like ZombieLoad take advantage of flaws in processor architecture. They’re not software flaws.
Worse still, they exploit specific mechanisms and components within computer hardware that were deliberately designed to make computers faster. Because of that, protecting against them fully can reduce CPU performance.
ZombieLoad, for example, works by loading a large set of junk or “zombie” data into a processor. The processor must then pull additional resources to handle the load, which can lead to data leakage.
Still, it’s a serious security hole and you should take steps to patch it as soon as possible — especially if you deal with sensitive data.
How can ZombieLoad affect you?
Speculative execution vulnerabilities are dangerous because they can compromise or leak your private data.
Because of the processor architecture they exploit, ZombieLoad and similar vulnerabilities can allow an attacker to access any data stored in system memory.
That could include data like passwords and email addresses. It could also include extremely sensitive information like financial data or social security numbers.
Researchers who discovered ZombieLoad put together a proof-of-concept attack demonstrating what the flaw is capable of. The video shows off how an attacker could access each and every website a user is visiting.
Obviously, that could mean that risky data like cryptographic keys, security tokens and passwords could also be harvested from a user.
Which devices does ZombieLoad affect?
ZombieLoad and other speculative execution vulnerabilities are dangerous because of their scope. ZombieLoad, specifically, impacts every single device with an Intel CPU made in 2011 or later.
The flaw is operating system agnostic, meaning that it can affect devices running Windows, Linux, macOS, or even specialized operating systems.
As far as what Mac devices are impacted, Apple notes that ZombieLoad affects every Mac device made after 2011. That includes MacBooks, iMacs, Mac minis and the Mac Pro.
What about older machines?
Luckily for users of Macs made before 2011, ZombieLoad isn’t going to be able to affect those computers. But the Intel processors within 2010 and earlier Macs could still be prone to speculative execution vulnerabilities in the future.
And, unfortunately, because Intel has been lagging behind on releasing microcode updates to those processors, Apple isn’t going to be able to patch those vulnerabilities if and when they are found.
How to protect yourself from ZombieLoad
Luckily, Apple was already ahead of the game when news of ZombieLoad broke this week. The company has issued a variety of software patches that feature mitigations against the speculative execution vulnerability.
That includes a software patch in macOS 10.14.5, as well as supplementary security updates for users still running macOS High Sierra and macOS Sierra.
You should download macOS 10.14.5 as soon as possible. There are also Security Update 2019–003 software patches for both High Sierra and Sierra.
Patch contents & limitations
But that patch only applies to Safari. If you use another web browser, like Google Chrome or Mozilla Firefox, you’ll need to implement fixes for those platforms.
While Firefox is currently working on a patch, Google Chrome has stated that its fix isn’t going to do anything against ZombieLoad. Because of that, Chrome advises users to rely on operating system-based security measures.
Due to the fact that Chrome doesn’t have a fix currently, we recommend that users switch to Safari if they deal with sensitive or confidential data.
Other security techniques
Malicious website code isn’t the only way that ZombieLoad can target your Mac. Apps installed on your computer can also take advantage of the vulnerability.
While you must knowingly download apps to macOS, there is always the chance that attackers could leverage social engineering techniques to trick you into downloading malware.
That isn’t going to be a problem for most macOS users. But, again, if you’re particularly security conscious, we recommend only downloading apps from the official Mac App Store or from developers that you absolutely know you can trust.
Apple also has another technique that can fully protect Mac users against the ZombieLoad vulnerability. Apple calls it full mitigation and has published a support document detailing the tactic.
Full mitigation does away with the ZombieLoad threat, but it’s not without its disadvantages. For some users, full mitigation could mean a performance reduction as high as 40 percent.
That’s because full mitigation requires that users disable hyper-threading on their Intel processors. That increases the protection against speculative execution vulnerabilities, but it could also severely impact speed.
But it’s still the safest way to go about handling data if you’re in a high-risk environment. That includes if you use web browsers that don’t currently have a fix available.
Mike is a freelance journalist from San Diego, California.
While he primarily covers Apple and consumer technology, he has past experience writing about public safety, local government, and education for a variety of publications.
He’s worn quite a few hats in the journalism field, including writer, editor, and news designer.