New ZombieLoad attack affects Intel chips dating back to 2011, fixed in macOS 10.14.5

A new attack, dubbed “ZombieLoad,” has been discovered and detailed by security researchers, TechCrunch reported today, and it apparently affects all Intel chips dating as far back as 2011. Most of your Mac computers have been affected by this vulnerability which the iPhone maker has already fixed in the macOS Mojave 10.14.5 software update, released yesterday.

This relatively complicated attack allows a rogue party to steal your sensitive data and encryption keys while the computer accesses them. AMD and ARM chips are unaffected.

Here’s the technical explanation of how the attack works:

While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets—such as browser history, website content, user keys and passwords—or system-level secrets, such as disk encryption keys.

Way more detailed information is available in a white paper.

CPU.fail explains that this attack resurrects your private browsing-history and other sensitive data, allowing private information from other apps to leak, including  the operating system itself, any virtual machines running in the cloud and trusted execution environments.

To see it in action, watch the video embedded ahead which demonstrates how ZombieLoad allows an attacker to spy on your web browsing activity. The attack works even if you’re using a privacy-preserving browser like Tor running in a virtual machine.

“Apple has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs,” the Cupertino company noted in a support document published on its website today. The fix also prevents the exploitation of ZombieLoad vulnerabilities through JavaScript in Safari.

Another support document explains that multiple information disclosure issues were addressed partially by updating the microcode and changing the OS scheduler to isolate the system from web content running in the browser.

Full protection requires using the Terminal app to enable microcode-based mitigations for all processes by default and disable hyper-threading processing technology. Full mitigation is available for macOS Mojave, High Sierra and Sierra.

Although enabling mitigation protection is recommended to prevent harmful apps from exploiting these vulnerabilities, it could reduce your Mac’s performance by up to 40 percent.

Applying just a software patch without enabling full mitigations will make your Mac run up to three percent slower, at worst, Intel has said. The patch is part of the macOS Mojave 10.14.5 update and separate security updates for High Sierra and Sierra (Intel also released microcode updates for vulnerable processors),

Older Mac computer models listed down below cannot support these fixes and mitigations due to a lack of microcode updates from Intel.

  • MacBook (13-inch, Late 2009)
  • MacBook (13-inch, Mid 2010)
  • MacBook Air (13-inch, Late 2010)
  • MacBook Air (11-inch, Late 2010)
  • MacBook Pro (17-inch, Mid 2010)
  • MacBook Pro (15-inch, Mid 2010)
  • MacBook Pro (13-inch, Mid 2010)
  • iMac (21.5-inch, Late 2009)
  • iMac (27-inch, Late 2009)
  • iMac (21.5-inch, Mid 2010)
  • iMac (27-inch, Mid 2010)
  • Mac mini (Mid 2010)
  • Mac Pro (Late 2010)

Apple notes that there are no known exploits affecting customers at the time of its writing. The issues addressed by these security updates do not affect iOS devices or Apple Watch.