Advanced Mac users who have a particularly strong conflicting environment may think it necessary to enable complete reduction of Intel MDS processor's vulnerability on their Mac machines (and PCs for that matter). MDS stands for Microarchitectural Data Sampling (MDS), commonly called "Zombieload", and is basically a security issue on the Intel processor itself, which could theoretically cause an attacker to access sensitive data on any affected Intel computer. , Mac or PC. (If you follow security news closely, Zombieload's vulnerability is like the Specter and Meltdown security errors last year.)
While Apple has been seeking security updates for MacOS Mojave 10.14.5 and Security Update 2019-003 for High Sierra and Sierra that should contribute to To prevent problems for most Mac users, other Mac users operating within unusually increased security risk environments may feel the need to go ahead and enable complete reduction against MDS / Zombooad.
Enabling full limitation of the Intel MDS vulnerability involves disabling hyper-threading on the CPU itself, which can result in a 40% performance reduction on the machine. It is obviously a rather serious blow, and the vast majority of people should therefore not bother with this as the vast majority of people will not be under a security risk environment that would put them at risk of being targeted by this type of vulnerability.
But if you're particularly concerned with the Zombieload / MDS attack vector on a Mac with an Intel CPU, we discuss how to enable complete reduction against the attack below.
How to Enable Complete Compensation for Zombieload / MDS on Intel Macs
Remember that to enable complete suitability for MDS / Zombooad on a Mac, you must disable CPU hypertension, resulting in a serious performance trait. Most Mac users shouldn't worry about this.
Note that the Mac must run MacOS Mojave, MacSO Sierra, MacOS High Sierra or later.
- First, install MacOS Mojave 10.14.5 or Security Update 2019 for High Sierra or Security Update 2019 for Sierra (or later) on Mac
- Go to the Apple menu and select "Restart" to restart your Mac.
- Hold down Command + R when restarting to launch the Mac in recovery mode
- When you get to the Tools screen, drag down the "Tools" menu in the menu bar and select "Terminal"
- Type the following command and press then back
- Next type of following command,
- Go to the Apple menu and select "Restart" to restart the Mac.
nvram boot-args = "cwae = 2"
These instructions for complete limitation comes directly from Apple.
How to return:
nvram SMTDisable =% 01
To return complete reduction of Zombieloa d / MDS and reactivate hyper-threes ading on the CPU, reset the Mac NVRAM / PRAM to remove the defined nvram change made in full reduction. This is the same for all Mac models:
- Turn off the Mac
- Turn on your Mac, then press and hold the COMMAND OPTION PR keys together
- Hold down the COMMAND OPTION PR keys simultaneously 20 seconds, then release
- . Delete the keys after reading the second startup clip (on Macs that play the startup sound) or after watching the Apple logo (Macs with the T2 chip)
The Mac starts now as usual with NVRAM reset, override enabled again, and complete reduction of MDS no longer in place.
You can also see NVRAM variables on a Mac from the command line if you are not sure what is specified.
Note whether you are using a firmware password that you may need to temporarily turn it off before you can reset NVRAM.
What is MDS / Zombieload anyway?
For further backgrounds on MDS / Zombooad as well as the reduction process, you may wish to refer to the Apple support article describing MDS risk and complete reduction as follows:
Intel has disclosed vulnerabilities called Microarchitectural Data Sampling (MDS) applicable to desktop and laptops with Intel processors, including all modern Macs.
Although there are no known challenges affecting customers At the time of this writing, customers who believe in their computer may be at increased risk of attack, use the Terminal app to activate an additional CPU instruction and disable full protection processing technology against these security issues.
This option is available for MacOS Mojave, High Sierra and Sierra, and may have a significant impact on computer performance.
Furthermore, it is possible to deactivate the hypertext on the Intel processor, which dramatically reduces performance. Apple describes this as follows:
The full constraint, which includes disabling hypertext, prevents information leakage across and reaches core and user space transitions that are associated with MDS vulnerabilities for both local and remote (web) attacks.
Testing performed by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public references. Performance tests are performed using specific Macs. Actual results will vary based on model, configuration, usage and other factors.
You may also be interested in reading more about Microarchitectural Data Sampling (MDS) directly from Intel here at Intel.com.
Another source of information about Zombieload / MDS is the official website of Zombieload Attack, here created by the researchers who found the vulnerability. The video below from these security researchers demonstrates a zombieoad attack used to gather information from a targeted machine despite using the TOR contained in a virtual machine (a serious security yikes!).
Again, most users of Mac (and PC) do not need to be too concerned about these vulnerabilities, and probably do not have to bother with complete limitation by disabling hyper-threading. Only installing MacOS Mojave 10.14.5 and the relevant High Sierra and / or Sierra 2019-003 security update will help avert potential hazards for most Mac users. And as always, make sure you never install any sketchy or insecure software as it should contribute significantly, since almost all of these types of security issues rely on some form of malicious software to root out initially.