Updated with new info: 05/15/19 5:20 PM CST
Security researchers have found a new series of vulnerabilities in Intel chips dating back to 2011.
We now know why Apple released the 10.14.5 Combo update and the 2013-003 security updates early. Keeping with Apple’s normal release schedule, Combo and Security updates should have been released 2-3 weeks from now. The updates were released one day before news of the ZombieLoad New Intel Chip Vulnerability hit. This is great news, especially if you remember Apple’s response to the Meltdown & Spectre vulnerabilities. We had to push Apple to release fixes for 10.12 and 10.11 after the news hit.
NOTE: clarifying the situation.
The Mojave 10.14.5 update does the following
- 1. Updates Safari to version 12.1.1. “This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari.“
- 2. Enables the ability for you to enable full mitigation by Disabling Hyper-Threading (instructions listed below)
The 10.12 and 10.13 (2019-003) security update only does the following.
- Enables the ability for you to enable full mitigation by Disabling Hyper-Threading (instructions listed below)
- Safari 12.1.1 is a separate install for both 10.12 and 10.13. I can’t find any documentation that confirms Apple patched this for 10.13 & 10.12 Safari. This will be the page to watch to see if Apple adds more information later. support.apple.com/en-us/HT210123
All Macs from 2011 & forward are vulnerable to this new attack.
You can read about this from multiple news sites below. We have to worry about both Speculative Execution Vulnerabilities and Microarchitectural Data Sampling (MDS) vulnerabilities.
- zombieloadattack.com
- techcrunch.com/2019/05/14/zombieload-flaw-intel-processors
- arstechnica.com/gadgets/2019/05/new-speculative-execution-bug-leaks-data-from-intel-chips-internal-buffers/
How can I protect my Mac?
Apple has released 2 documents today on the topic of mitigation.
- How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities
- support.apple.com/en-us/HT210108
- Additional mitigations for speculative execution vulnerabilities in Intel CPUs
- support.apple.com/en-us/HT210107
Do I need disable Hyper-Threading as mentioned in the above documents?
Almost all PC Vendors say YES, but Intel says NO. According to Apple “There are no known exploits affecting customers at the time”. The 10.14.5 combo update only covers updates to Safari (12.1.1) only. We will have to wait to see if this was addressed in the High Sierra and Sierra versions of 12.1.1. If you need full mitigation for the Mac you will need to disable Hyper-Threading.
Disabling Hyper-Threading
Let’s take a look at the instructions Apple gave us.
- Step 1
- Turn on or restart your Mac and immediately press and hold Command (⌘)-R or one of the other macOS Recovery key combinations on your keyboard.
oh no… If you are a MacAdmin you just realized this solution is not deployable by any means.
- Step 2
- From the Utilities menu in the menu bar, choose Terminal.
If you have a deployed T2 Mac with only one FV2 enabled standard user you will be out of luck. You can’t open terminal without a SecureToken Admin.
- Step 3
- Type the following two commands, one at a time, at the Terminal prompt. Press Return after each one.
nvram boot-args="cwae=2"
nvram SMTDisable=%01
Note #1 According to Apple you need to be on 10.14.5 or have 2019-003 installed on a 10.13 or 10.12 Mac for this to work.
Note #2 Apple mentions that disabling Hyper-Threading could “cause a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks”.
Let’s boot to recovery and try this out.
After typing in both commands you can check to see if they are set in nvram by typing in
nvram -xp
This will print out all the variables in nvram. You will be looking for 2 entries.
<key>boot-args</key> <string>cwae=2</string>
<key>SMTDisable</key> <data> AQ== </data>
If you see these the settings should be in play. All you need to do is restart to enable the new settings.
Note: I tried this out on a system that did NOT have the 2019-003 security update on it and the commands did work. The system booted and was acting normal. It is possible that without the security update installed the system does not understand the values. When I checked for the Hyper-Threading Technology field in System Information it did not exist. I DO NOT RECOMMEND YOU DO THIS! I just tested this out so you know what happens.
Confirm the settings worked and Hyper-Threading is disabled.
Click the Apple menu click “About this Mac” then System Information. Under hardware you should see this.
How to revert back and enable HT again.
If you would like to revert the mitigation and reenable Hyper-Threading, reset NVRAM and restart your Mac. To reset the NVRAM remember you need to disable Firmware Password Protection.
GeekBench 4 Benchmark test
Figured it would be fun to run one test to see the performance hit when Hyper-Threading is disabled.
2017 15″ MbPro – Disabled = Multi-Core 14408
2017 15″ MbPro – Enabled = Multi-Core 14905
3.3% difference
Again this is only one test but sure seems far away from the 40% number.
Apple also notes the following
“If you previously set custom boot-args, you will need to add those boot-args to the nvram command.“
Note: The full mitigation is not enabled while using Boot Camp to run Windows on a Mac.
Disclaimer
As always when it comes to security, please be sure to test test test and follow Apple’s direct linked documentation if you need to enable security settings in a secure production environment.
Contact Me if you have anything to add to this Speculative Execution & ZombieLoad MDS Intel Chip Vulnerability article.
