As described by TechCrunch "ZombieLoad", as it is called, consists of four errors that can allow hackers to exploit the design errors in the chips to steal sensitive information directly from the processor.
These vulnerabilities are as serious as the Meltdown and Specter vulnerabilities discovered in early 2018, exploiting the same speculative execution process designed to speed up computing and performance.
A white paper shared by remarkable security researchers (including some who worked with Specter and Meltdown) provides details on how ZombieLoad works. [PDF]
Although programs normally only see their own data, a malicious program can exploit the fill buffers to obtain secrets that are currently being processed by other running programs. These secrets can be user-level secrets, such as browser history, site content, user codes, and passwords or system level secrets, such as disk encryption keys.
The attack does not only work on personal computers, but can also be exploited in the cloud.
ZombieLoad affects almost all Intel computers dating back to 201
There have been no reports of hackers using ZombieLoad's vulnerabilities now, and Intel has released the microcode for vulnerable processors. Apple addressed the vulnerability of the MacOS Mojave 10.14.5 update released yesterday and in security updates for earlier versions of macOS that were also released yesterday.
Apple has released security updates in macOS Mojave 10.14. 5 to protect against speculative execution problems in Intel processors.
The issues addressed by these security updates do not affect Apple iOS devices or Apple Watch.
Apple released earlier security updates to defend against Specter a number of speculative execution vulnerabilities that affect devices with ARM-based and Intel processors. Intel has revealed several Specter vulnerabilities, called Microarchitectural Data Sampling (MDS), that apply to desktop and laptop computers with Intel processors, including all modern Macs.
An Apple Support Document on ZombieLoad Vulnerability provides details for "complete reduction" protection that can be activated for customers with increased risk computers or who run unsafe software on their Macs.
Complete limitation requires the use of the Terminal app to enable multiple CPU instructions and disable processing technology available to macOS Mojave High Sierra and Sierra, but not to some older machines. Apple says full reduction can reduce performance by up to 40 percent, so most users won't activate it.
An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance here at worst, and as much as 9 percent in a data center environment. But the spokesman said it was not likely to be noticeable in most scenarios.
As mentioned above, customers who activate Apple's full reduction option will actually see the processor's decline due to the need to disable hypertension.
One of the scientists who discovered ZombieLoad, Daniel Gruss, told TechCrunch that ZombieLoad is easier to exploit than Specter, but more difficult than Meltdown, and that it requires a certain set of skills, meaning average person does not have to worry.
Update: This article said earlier that Apple would release an update, but it has been updated to clarify that Apple resolved the issue in security updates made available to Mac owners yesterday. Customers running Mojave should update to macOS 10.14.5, while customers who run older versions of macOS should install any available security updates.