قالب وردپرس درنا توس
Home / Mac / New & # 39; ZombieLoad & # 39; security issue affects Intel Chips Dating Back to 2011, released Apple patch in MacOS 10.14.5 [Updated]

New & # 39; ZombieLoad & # 39; security issue affects Intel Chips Dating Back to 2011, released Apple patch in MacOS 10.14.5 [Updated]



Security researchers have discovered a new set of vulnerabilities that affect Intel chips from 2011, including the chips that have been used in Apple devices.

As described by TechCrunch "ZombieLoad", as it is called, consists of four errors that can allow hackers to exploit the design errors in the chips to steal sensitive information directly from the processor.


These vulnerabilities are as serious as the Meltdown and Specter vulnerabilities discovered in early 2018, exploiting the same speculative execution process designed to speed up computing and performance.

A white paper shared by remarkable security researchers (including some who worked with Specter and Meltdown) provides details on how ZombieLoad works. [PDF]

Although programs normally only see their own data, a malicious program can exploit the fill buffers to obtain secrets that are currently being processed by other running programs. These secrets can be user-level secrets, such as browser history, site content, user codes, and passwords or system level secrets, such as disk encryption keys.

The attack does not only work on personal computers, but can also be exploited in the cloud.

ZombieLoad affects almost all Intel computers dating back to 201

1, but AMD and ARM chips are not affected. A demonstration of ZombieLoad was shared on YouTube and shows how it works to see what you're doing on your computer. While spying on browsing is demoed, it can also be used for other purposes such as stealing passwords.



There have been no reports of hackers using ZombieLoad's vulnerabilities now, and Intel has released the microcode for vulnerable processors. Apple addressed the vulnerability of the MacOS Mojave 10.14.5 update released yesterday and in security updates for earlier versions of macOS that were also released yesterday.

Apple has released security updates in macOS Mojave 10.14. 5 to protect against speculative execution problems in Intel processors.

The issues addressed by these security updates do not affect Apple iOS devices or Apple Watch.

Apple released earlier security updates to defend against Specter a number of speculative execution vulnerabilities that affect devices with ARM-based and Intel processors. Intel has revealed several Specter vulnerabilities, called Microarchitectural Data Sampling (MDS), that apply to desktop and laptop computers with Intel processors, including all modern Macs.

An Apple Support Document on ZombieLoad Vulnerability provides details for "complete reduction" protection that can be activated for customers with increased risk computers or who run unsafe software on their Macs.

Complete limitation requires the use of the Terminal app to enable multiple CPU instructions and disable processing technology available to macOS Mojave High Sierra and Sierra, but not to some older machines. Apple says full reduction can reduce performance by up to 40 percent, so most users won't activate it.

According to Intel, its microcode updates will affect processor performance, but for the patch that Apple released in MacOS Mojave 10.14.5, there was no measurable performance impact. Apple's repair prevents exploitation of ZombieLoad vulnerabilities via JavaScript in Safari.

An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance here at worst, and as much as 9 percent in a data center environment. But the spokesman said it was not likely to be noticeable in most scenarios.

As mentioned above, customers who activate Apple's full reduction option will actually see the processor's decline due to the need to disable hypertension.

One of the scientists who discovered ZombieLoad, Daniel Gruss, told TechCrunch that ZombieLoad is easier to exploit than Specter, but more difficult than Meltdown, and that it requires a certain set of skills, meaning average person does not have to worry.

Update: This article said earlier that Apple would release an update, but it has been updated to clarify that Apple resolved the issue in security updates made available to Mac owners yesterday. Customers running Mojave should update to macOS 10.14.5, while customers who run older versions of macOS should install any available security updates.


Source link