ZombieLoad – Another Intel CPU Vulnerability

15 May 2019

Introduction

Yet another vulnerability has been discovered in Intel processors dating back to 2011. The vulnerability, named ZombieLoad, is as serious as Spectre and Meltdown and affects all desktop and laptop devices using Intel processors, in addition to cloud servers and associated virtual machines. This presents an obvious threat to customers of cloud-based computing services where isolation from other customers’ virtual machines is critical.

Background

The vulnerability is part of a new class of CPU attacks, brought to light by Spectre and Meltdown, known as transient execution attacks (PDF). Such attacks exploit a feature of modern processors known as speculative execution, which allows the processor to predict the outcome of a condition, executing the most likely instruction to resolve the condition. If the prediction is correct, performance is noticeably improved. If the prediction is incorrect, side-effects of the incorrect prediction can cause sensitive data to be retrieved from the CPU’s buffers. Attacks which take advantage of such side-effects are known as transient execution attacks.

Normally, applications are prevented from reading data from other processes running on the CPU. Transient execution attacks show that it is theoretically possible for applications to leak data across processes, privilege boundaries, Hyperthreads and between virtual machines. What this means for the user is that a malicious application could take advantage of this vulnerability and use it to read sensitive data from another application or process. Such data includes passwords, encryption keys, browser history and website content. The researchers who discovered the vulnerability have released a video demonstrating exploitation of this vulnerability to expose browser history in real-time.

Remediation

At the time of writing, there has been no code seen in the wild which actively exploits this vulnerability. Similarly, the researchers involved have not released exploit code. This means that average users are unlikely to be affected by ZombieLoad at this moment in time. Since it is possible for malicious JavaScript hosted on a website to exploit ZombieLoad, and as it is best practice in computer security, we recommend that Mojave users install Apple’s 10.14.5 update. Better yet, enabling automatic updates will allow security fixes such as this to be delivered to your Mac with minimal user input. As always, we recommend only installing applications from trusted sources and conducting regular scans with ClamXAV.