ZombieLoad: New serious Intel vulnerability
A new serious security vulnerability has been found in Intel processors, which are also installed by Apple.
Daniel Gruss, one of the discoverers of the vulnerability, told TechCrunch that ZombieLoad is easier to exploit than the already known Spectre vulnerability but more difficult than Meltdown. In principle this means for private users: as long as you don’t get any malware on your system you are reasonably safe.
As usual: watch what you download.
ZombieLoad allows other processes to spy out a running program, so for example you can read which passwords you enter in your browser. This is possible because the Hyper Thread method used by Intel, in which running processes share the same processor architectures, is not cleanly separated. All Intel CPUs from 2011 onwards will be affected. All iPhones and iPads will not be affected.
Apple has already released an update for Macs: macOS 10.14.5, which is available since yesterday and should be installed as soon as possible. The microcode of the processor will also be updated. The adjustments are also available for High Sierra and Sierra. The update of the processor microcode costs according to Intel between 3 and 9 percent performance.
Always update to the latest macOS!
Apple also offers in this support document to disable the Hyper Threading of Intel CPUs completely , two short command line commands are required. But with that the performance drops by 40%. So it is only something for extreme security needs. According to Apple it is enough to use software and microcode updates for the average user – full protection from the vulnerability is not possible then though.
Macs from 2009 to 2010 on which Sierra and High Sierra runs also get the mentioned security updates from Apple via macOS. But the effectiveness is questionable, because Intel refuses to release microcode updates for the Core 2 Duo processors, as it is already the case with Spectre and Meltdown.