Over at TechCrunch, Zack Whittaker describes ZombieLoad, a new class of speculative execution security vulnerabilities in Intel chips that could allow malicious code to see data owned by other apps within the processor. A proof-of-concept video shows how the vulnerabilities could allow an attacker to see what Web sites the user is visiting in real-time. Nearly all computers with Intel chips dating back to 2011 and possibly farther are vulnerable, including Macs.
That said, most Mac users have little to worry about. We have seen no reports of exploits based on ZombieLoad, and the vulnerabilities are reportedly non-trivial to use in an attack.
More importantly, Apple included fixes for ZombieLoad in the just-released macOS 10.14.5 and Security Update 2019-003 for Sierra and High Sierra. These fixes have no measurable performance impact but provide only partial mitigation of the ZombieLoad bugs. For users in extremely sensitive situations, Apple has published instructions for full mitigation, but implementing them could reduce performance by up to 40% due to the loss of hyper-threading. Also, Apple provides a list of Macs from 2009 and 2010 that can install the security updates but don’t support the fixes due to a lack of microcode updates from Intel.
The practical upshot is that everyone should install macOS 10.14.5 or Security Update 2019-003 sooner rather than later. The likelihood of a ZombieLoad-enabled attack happening soon is low, but this situation illustrates why it’s crucial to stay up to date with Apple’s operating system and security updates.
We also have to imagine that situations like this are informing Apple’s thinking about possibly replacing Intel CPUs in Macs with Apple’s own ARM-based chips. If nothing else, Macs built around non-Intel chips might be even less of a target than they are now.