Picture by Simon Wijers from Pixabay
Over at TechCrunch, Zack Whittaker describes ZombieLoad, a new class of speculative execution security issues in Intel chips that can allow malicious code to see data owned of other apps in the processor. A proof-of-concept video shows how the vulnerabilities can allow an attacker to see which sites the user is visiting in real time. Almost all computers with Intel chips dating back to 201
That said, most Mac users have little to worry about. We have not seen any reports of exploits based on ZombieLoad, and the vulnerabilities are apparently not trivial to use in an attack.
More importantly, Apple included repairs for ZombieLoad in the newly released macOS 10.14.5 and Security Update 2019-003 for the Sierra and High Sierra. These fixes have no measurable performance, but only partially reduce the ZombieLoad errors. For users in extremely sensitive situations, Apple has issued complete reduction instructions, but their implementation can reduce performance by up to 40% due to loss of hyper-threading. Apple also provides a list of Macs from 2009 and 2010 that can install security updates, but does not support repairs due to a lack of microcode updates from Intel.
The practical startup is that everyone should install MacOS 10.14.5 or Security Update 2019-003 sooner rather than later. The likelihood that a ZombieLoad-enabled attack will happen soon is low, but this situation illustrates why it is important to keep up to date with Apple's operating system and security updates.
We also have to imagine that situations like this inform Apple's thinking about possibly replacing Intel CPUs in Macs with Apple's own ARM-based chips. If nothing else, Macs built around non-Intel chips can be even less of a goal than they are now.