Security Alert Archives - Mr. Macintosh

Catalina 10.15.7 Supplemental Update (19H15) Released!

MrMacintosh.com - 10.15.7 Supplemental Update (19H15) Released! — 10.15.7 Supplemental Update (19H15) Released!

macOS Catalina 10.15.7 Supplemental Update is now Available.

UPDATE 11/11/20: Apple has just released a full installer for macOS Catalina 10.15.7 that includes the Supplemental Update Security Fixes! No word of an updated combo update or a downloadable pkg yet. I will update if they become available!

Today Apple released the 6th Supplemental Update for macOS Catalina. With the release of 10.15.7, we thought Apple would continue with an easy way to identify updates. The 10.15.7 Supplemental update seemed to dash those hopes. The update does not even list any fixes in it. The only wording is

“macOS Catalina 10.15.7 Supplemental Update is recommended for all users and improves the security of macOS”

This tells us that the update only has security related fixes in it!

https://support.apple.com/en-us/HT211947

In the security link, Apple calls out 3 security vulnerabilities. I will go over them below.

Mr. Macintosh Catalina 10.15.7 Supplemental Update Video

The macOS Catalina 10.15.7 Update includes the following Security fixes.

macOS Catalina 10.15.7 Supplemental Update provides important security updates for your Mac.

This update is an important update due to this quote from Apple

A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.
Apple

The Supplemental Update patches the following
FontParser arbitrary code execution = Found in the wild!!!
Two Kernel Exploits = Both found in the wild!!!
All three vulnerabilities have been reported to Apple from the Google Project Zero Team.

Treat this Supplemental Update as a High Priority!

Confusing Update Situation

We have a couple update scenarios that we need to discuss. Normally Apple releases new Delta and Combo Updates. This time we only have a delta update for 10.15.6 users. If you have anyone on 10.15.0-10.15.5 they will be offered the OLD 10.15.7 (19H2) Update. They will have to install the 10.15.7 Supplemental Update after!

10.15.7 users = NEW 10.15.7 Supplemental Update
10.15.6 users = NEW 10.15.7 Delta Update
10.15.0-10.15.5 users = OLD 10.15.7 Combo Update – Will need to install the 10.15.7 Supplemental Update after.
10.15.7 Full Installer = Remains OLD 10.15.7 (19H2) version and will need to install the 10.15.7 Supplemental Update after.

Hat Tip to my fellow Software Update Investigator Eric Holtam! Follow him on Twitter @eholtam

Apple’s Public Patch Notes / Release Notes Documentation

NOTE: Apple Documentation takes a little while to show up online after release. I will update when the new articles are made available.

https://support.apple.com/en-us/HT210642

developer.apple.com/documentation/macos_release_notes

developer.apple.com/documentation/macos-release-notes/macos-catalina-10_15_6-release-notes

For more detailed information about this update and previous updates, please visit: https://support.apple.com/kb/HT210642

Previous 10.15 Releases + Previous Patch Notes

22. 10.15.7 = (19H15) – Supplemental Update – Nov 5th 2020
21. 10.15.7 = (19H2) – Update – Sep 24th 2020
20. 10.15.6 = (19G2021) – Supplemental Update – Aug 12th 2020
19. 10.15.6 = (19G2006) – 2020 iMac Fork Re-Released – Aug 4th, 2020
18. 10.15.6 = (19G2005) – 2020 iMac Fork – Aug 4th, 2020
17. 10.15.6 = (19G73) – July 15th, 2020
16. 10.15.5 = (19F2200) – 16″ MBPro Update Fork – June 15th 2020
15. 10.15.5 = (19F2096) – 16″ MBPro Shipping Fork – June 15th 2020
14. 10.15.5 = (19F101) – Supplemental Update – June 1st, 2020
13. 10.15.5 = (19F96) – May 26, 2020
12. 10.15.4 = (19E2269) – 13″MBPro Shipping Fork – May 6th 2020
11. 10.15.4 = (19E287) – Supplemental Update – April 8th, 2020
10. 10.15.4 = (19E266) – March 24th 2020
9. 10.15.3 = (19D2064) – MBAir Shipping Fork March 23rd 2020
8. 10.15.3 = (19D76) – January 28th 2020
7. 10.15.2 = (19C57) – December 10th 2019
6. 10.15.1 = (19B2106) – 16″ MBPro Update Fork – November 13th 2019
5. 10.15.1 = (19B2093) – 16″ MBPro Shipping Fork – Nov 13th 2019
4. 10.15.1 = (19B88) – October 29th 2019
3. 10.15.0 = (19A603) – Supplemental Update Re-Released – Oct 21st 2019
2. 10.15.0 = (19A602) – Supplemental Update – October 15th 2019
1. 10.15.0 = (19A583) – October 7th 2019

macOS Catalina 10.15.7 Supplemental Update Changes, Info & Download Links

Supplemental Update

The “Supplemental Update” update is smaller in size because it only includes fixes for the previous point release only.

NOTE: The Supplemental update is ONLY for 10.15.7 Users

Download Link – waiting

Size = 1.21 GB

Product ID = 001-73001

Requirements = 10.15.7

Delta Update

The “Delta” update is smaller in size because it only includes fixes for the previous point release only.

NOTE: The Delta update is ONLY for 10.15.6 Users

Download Link – waiting

Size = 2.84 GB

Product ID = 001-57230

Requirements = 10.15.6

Combo Update

The “Combo” update is for all previous versions of Catalina.

Download Link – NONE! combo update is not available as this update is ONLY for 10.15.7 users.

Size =

Product ID =

Requirements =

Full Installer.app

It looks like a full installer was NOT released! Will update …

Below is the OLD VERSION (19H2)

Link – Catalina 10.15.7 Mac App Store

Size = 8.75 GB

Product ID = 001-51042

Requirements – 10.15 Catalina Requirements

T2 BridgeOS Update

UPDATE! T2 BridgeOS was updated!

Size = 417.7 MB

Product ID = 001-51038

BridgeOS Update Version = 17.16.16610.0.0

3. Previous 10.15.7 Update = 17.16.16610 = BuildVersion 6
2. Previous 10.15.6 Supplemental Update = 17.16.16610
1. Previous BridgeOS Update Version = 17.16.16065

Security Content of macOS Catalina 10.15.7 Update.

This document lists security updates for Apple software.

support.apple.com/en-us/HT201222

MacOS Catalina 10.15.7 Supplemental Update

https://support.apple.com/en-us/HT211947

The following security fixes are included in Catalina 10.15.7.

Released November 5, 2020

FontParser

Available for: macOS Catalina 10.15.7

Impact: Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-27930: Google Project Zero

Kernel

Available for: macOS Catalina 10.15.7

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A type confusion issue was addressed with improved state handling.

CVE-2020-27932: Google Project Zero

Kernel

Available for: macOS Catalina 10.15.7

Impact: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild.

Description: A memory initialization issue was addressed.

CVE-2020-27950: Google Project Zero

Catalina 10.15.7 Supplemental Update

Zoom Vulnerably Remediation – 14 Total variants Index of MRT Links & Info

MrMacintosh.com - Zoom Vulnerably Remediation, 14 Total variants & RCE found. Index of Zoom & MRT Links & Info — Zoom Vulnerably Remediation, 14 Total variants & RCE found. Index of Zoom & MRT Links & Info

14 total Zoom Vulnerably / Exploit variants and a RCE Remote Code Execution found!

Just when you had enough of the first Zoom Vulnerably, Apple released MRTConfigData 1.46 (now 1.47!) to deal with 14 total variants and a Remote Code Execution (RCE) . I created this Index of MRT Links & Info to help you get through the confusion.

Jonathan Leitschuh reported the first vulnerably in Zoom. I wrote an article talking about this and how to remediate the RCE and Conferencing Video Bug here.

UPDATED: 07/18/19 – MRTConfigData 1.47 released and 3 more Zoom variants! Brings the total to 14.

MRT Malware Removal Tool Index

1. List of zoom opener variants and MRT versions
2. MRTConfigData Compatible OS versions.
3. Software Update & MRT Commands
4. Malware Removal Tool Documentation
5. Caveats of installing MRTConfigData and how the MRT scan works differently in 10.14 vs 10.13
6. Other ways to install MRT updates
7. Digging into the MRT Binary
8. More questions, Problems and Errors
9. Links to scripts and other MacAdmin articles
10. Disclaimer

1. List zoom opener variants and MRT Versions

How do we even know which variants are included in MRTConfigData v1.45 and v1.46? (Now 1.47!) The only way to find out is to dig into the MRT Binary Code. I talk about how I found the new variants a little more in section 7 below.

We now have 14 new Zoom Opener variants to worry about. Each one is a hidden folder listed in your user folder!

MRT Versions

1. MRTConfigData v1.45 – 7/10/19
2. MRTConfigData v1.46 – 7/16/19
3. MRTCOnfigData v1.47 -7/18/19

Zoom Variants

1. /.zoomus – 1.45
2. /.ringcentralopener – 1.46
3. /.telusmeetingsopener– 1.46
4. /.btcloudphonemeetingsopener– 1.46
5. /.officesuitehdmeetingopener– 1.46
6. /.attvideomeetingsopener– 1.46
7. /.bizconfopener– 1.46
8. /.huihuiopener – 1.46
9. /.umeetingopener– 1.46
10./.zhumuopener– 1.46
11./.zoomcnopener– 1.46
12./.earthlinkmeetingroomopener – 1.47
13./.videoconferenciatelmexopener – 1.47
14./.accessionmeetingopener – 1.47

2. MRTConfigData Compatible OS versions.

You can run the MRTConfigData update on the following macOS versions.

Mojave 10.14
High Sierra 10.13
Sierra 10.12
El Capitan 10.11 (Note: You can only use softwareupdate -ia --background as the --include-config-data option was new in Sierra 10.12)

3. Software Update & MRT Commands

Let’s get right to it, here are the commands again if you want to remediate right now!

1. Check for config data updates: /usr/sbin/softwareupdate -l --include-config-data
2. Manual Install of MRT v1.47: /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data
3. Verify Version of MRT: /usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString
4. Force Run MRT.app in Agent mode: /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a

If MRT finds Zoom the manual scan will look like this.

MrMacintosh.com - A manual MRT -a agent scan found ZoomOpener and deleted it. — A manual MRT -a agent scan found ZoomOpener and deleted it.

4. Malware Removal Tool Documentation

Apple has not documented how the MRT Scan works. The MRT Tool is called out with just a few lines in the macOS Security Overview for IT.

MrMacintosh.com - macOS Security Overview for IT 2018 — macOS Security Overview for IT 2018

Apple refers to MRT updates as “Silent or Quiet Update” when referenced in the media. The MRT Binary doesn’t have a MAN page or a -help section. Targeted malware variants are not documented. Sounds like a job for #MacAdmins!!!

5. Caveats of installing MRTConfigData and how the MRT scan works differently in 10.14 vs 10.13

You need to know about a few caveats with this process. I have tested the installation and scan multiple times and found differences in each OS! Let’s start with Mojave 10.14 then move to High Sierra 10.13.

MRT in Mojave 10.14.5

When you manually install the MRTConfigData update the MRT.app will automatically run a MRT Scan!
You only have to worry about other users who may have installed any of the opener variants as the MRT Scan only runs for the logged in user only.
A restart and Logout/Login will kick off a manual MRT Scan.
You can run a script that Rich wrote that will remove zoom from all logged in users.
github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_zoom_vulnerability

MRT in High Sierra 10.13.6

A reboot will kick of a MRT Scan
A logout and login will kick off an MRT Scan
When you manually install the MRTConfigData update the MRT Scan will NOT run automatically!!!
You will need to run the MRT.app agent scan manually to remove any zoom variants.

TLDR: Installing MRTConfigData in 10.14 automatically kicks off the MRT.app scan, while in 10.13 the MRT scan does NOT run automatically.

H/T to @howardnoakley and @alvarnell for pointing out that after installing MRTConfigData the MRT Scan kicks off automatically. I did not know it at the time but they were testing in 10.14. All my testing was on 10.13, so thats why I was getting different results!

6. Other ways to install MRT updates

If you are on Mojave 10.14.5 you will automatically get the MRTConfigData update as long as you have the following SoftwareUpdate Settings set to ON.

MrMacintosh.com - Software Update - Required settings to get "System Data Files and Security Updates" — Software Update – Required settings to get “System Data Files and Security Updates”

As long as you have these settings set to ON your Mac should automatically check in for new updates and install them every 24 hours.

For the com.appleSoftwareUpdate.plist file you need the following settings set to ON.

/Library/Preferences/com.appleSoftwareUpdate.plist

AutomaticCheckEnabled = 1
AutomaticDownload = 1
ConfigDataInstall = 1
CriticalUpdateInstall = 1

If you want to install all background updates now without waiting you can issue the following command.

sudo softwareupdate --background --include-config – Only background updates

sudo softwareupdate -ia --include-config-data – Background updates AND OS level Updates

NOTE! The -ia option will install ALL available software updates including Combo, Safari and Security Updates.

The above commands will only install Xprotect updates if you have all the automatic software update settings set to ON.

7. Digging into the MRT Binary

Apple does not list the targeted malware variants anywhere, so the only way to find them is to dig into the MRT Binary Code. You cant just open the code inside MRT as it has thousands of lines of code. You have to first compare the current version to the old one. This will give you the first clues, as each piece of malware is given a code. In this case it was MACOS.354c063.

Now that we have the Malware Family ID we can then search the MRT Binary using a disassembler application. A disassembler like Hopper is used to view the actual code of the new MRT binary.

MrMacintosh.com - The actual code calling out /.zoomus/ZoomOpener.app — BINGO!!! The actual code calling out /.zoomus/ZoomOpener.app

8. More questions, Problems and Errors

We still have questions about how the MRT works especially the MRT -d or daemon mode. I have even reached out to Apple for an answer on this.

Howard Oakley wrote a great article looking into this.

eclecticlight.co/2019/07/13/what-happened-when-mrt-was-updated-and-what-mrt-does/

This is the best information we have so far.

Problems and Errors

Trying to run a manual update and scan can cause some problems in certain situations.

1. Running /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data shows

Result of command:
MRTConfigData_10_14-1.46: No such update
No updates are available.

If this happens run /usr/sbin/softwareupdate -l --include-config-data first.

2. Running the MRT Scan from a script shows

MRT Scan failedToReceiveProfileList

You will need to run MRT in 10.14 as the logged in user.

MrMacintosh.com - Running MRT in agent mode as the logged in user. — Running MRT in agent mode as the logged in user.

9. Links to scripts and other MacAdmin articles

CVE-Numbers
DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-2019–13449
Information Disclosure (Webcam) — Zoom —CVE-2019–13450
The Zoom Client before 4.4.53932.0709 on macOS allows RCE remote code execution – CVE-2019-13567

Apple.com – About background updates in macOS Mojave Your Mac automatically installs background updates for the security configuration and data files used by macOS. – support.apple.com/en-us/HT207005
Apple.com – macOS Security Overview for IT – 2018 – apple.com/business/resources/docs/macOS_Security_Overview.pdf

Jonathan Leitschuh – twitter.com/jlleitschuh – Medium.com – A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business. – medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Howard Oakley – twitter.com/howardnoakley – eclecticlight.co – Howard really dug into this when it first came out writing multiple articles on the zoom exploit. He also has multiple applications that he wrote that will help you, including one called SilentKnight that will tell you if all your XProtect definitions are up to date.
eclecticlight.co/2019/07/09/zoom-videoconferencing-could-expose-your-mac/
eclecticlight.co/2019/07/10/apple-has-pushed-an-update-to-mrt-to-remove-zooms-hidden-web-server/
eclecticlight.co/2019/07/13/what-happened-when-mrt-was-updated-and-what-mrt-does/
eclecticlight.co/2019/07/14/last-week-on-my-mac-does-anyone-here-know-about-mrt/
eclecticlight.co/2019/07/18/how-to-check-that-your-mac-is-free-of-zoom-and-similar-web-servers/

Rich Trouton – twitter.com/rtrouton – derflounder.wordpress.com – Rich has written the best script yet to remediate the Zoom venerability on all user accounts.
derflounder.wordpress.com/2019/07/10/zoom-vulnerability-and-remediation-script/
derflounder.wordpress.com/2019/07/13/zhumu-vulnerability-and-remediation/
derflounder.wordpress.com/2019/07/16/additional-zoom-remediation-from-apple-via-mrt/
github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_zoom_vulnerability

Karan Lyons – twitter.com/karanlyons – Github
Fix for Zoom, RingCentral, Zhumu (and possibly more) RCE vulnerabilities – gist.github.com/karanlyons/1fde1c63bd7bb809b04323be3f519f7e

Assetnote.io – Deep dive on how the RCE and Zoom exploit works. blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/

Jamf Nation Discussion Forum – Zoom Exploit – jamf.com/jamf-nation/discussions/32561/zoom-exploit

My article on the Zoom Exploit – mrmacintosh.com/how-to-remediate-the-zoom-vulnerability-with-apple-malware-removal-tool

TheVerge.com – theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras

Blue Jeans Response – support.bluejeans.com/s/article/BlueJeans-Detector-Service

Macadmins.slack.com – You can also talk about the Zoom Vulnerability and join the #zoom channel or #security in MacAdmins Slack.

10. Disclaimer

I tried to test and research as much as possible to save you time. I hope this Index of MRT Links & Info helps you, but since this issue revolves around security please double check and test before you deploy. After deployment check again that the files inside the opener are in fact deleted.

Index of MRT Links & Info

https://twitter.com/howardnoakley?lang=en

How to Remediate the Zoom Vulnerability with Apple Malware Removal Tool

MrMacintosh.com - Voom Vulnerability How to remediate with Apple's Malware Removal Tool or MRTConfigData — Remediate the Voom Vulnerability with Apple’s Malware Removal Tool or MRTConfigData v1.45

Zoom Vulnerability / Exploit and RCE

UPDATE: 07/18/19 – I put together a new blog update that includes 14 total Zoom Variants, New MRTConfigData 1.47 along with new information, fixes and links! – mrmacintosh.com/zoom-vulnerably-remediation-14-total-variants-index-of-mrt-links-info/

Yup, the Zoom Vulnerability has been THE talk of the MacAdmins community for the past 2 days. This stuff moves very fast and you have to keep an eye out! We will be The vulnerability was first released by Jonathan Leitschuh. This is not just Zoom but also Ringcentral and possibly BlueJeans. A statement Link from BlueJeans is below.

How do I remediate CVE-2019-13450?

Below are three options you can look through.

Option #1 Install Updated Zoom.app
Option #2 Option #2 Apple MRT – Malware Removal Tool
Option #3 Manual Removal + Scripts and links

Option #1 Install Updated Zoom.app 4.4.53932.0709

Install the new version of Zoom zoom.us/support/download

This version should remove everything including the WebServer installed to ~/.zoomus

From blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/

Tuesday, July 9
Zoom issued an update to our Mac app with the following:
Removed the local web server via a prompted update
Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings
Wednesday, July 10
Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.
Weekend of July 13
We have a planned release for the weekend of July 13 that will address video on by default. With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. (Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.)

Option #2 Apple MRT – Malware Removal Tool

Apple in a very quick move released MRTConfigDat 1.45 at 5PM CST yesterday. According to TechCrunch

techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.
Apple said the update does not require any user interaction and is deployed automatically.
TechCrunch

MrMacintosh.com - MRTConfigData v1.45 — MRTConfigData v1.45

Apple’s Malware Removal Tool will update on all 10.11, 10.12, 10.13 & 10.14 within 24 Hours

As long as you have sofwareupdate set to Automatically Check for Updates, Download New updates in the background & Install System Data Files and Security Updates. NOTE: 10.11 does not have the include-config-data option so you have to run sudo softwareupdate -ia -background

I need the update now!

Got you covered! You can use softwareupdate to manually install MRTConfigData 1.45. You can run this to list all available Xprotect Updates.

softwareupdate -l --include-config-data

To install the update you can run

softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data

MrMacintosh.com - Manually download MRTConfigData using softwareupdate — Manually download MRTConfigData using softwareupdate

I am not sure yet if just installing the new update actually activates and runs MRT or not. This command works great because it ONLY installs the called out update. If you use softwareupdate -l --include-config-data it will install ALL softwareupdates including combo and Safari ETC.

Verify that you have 1.45

defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

To force MRT to update run

NOTE: If you are trying to run MRT.app remotely over ssh or by using an MDM, it needs to run as the logged in user at least in 10.14. In 10.12 and 10.13 MRT seems to run fine no matter the user. You can use the 2 lines of code below to get the logged in user then run the command as the user. The error you will get in 10.14 will say failedToReceiveProfileList.

MrMacintosh.com - Script to force MRT to run as the logged in user. — How you could run a quick small script as the logged in user.

Manual Command that you can run if you are logged in as the user.

/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a

MrMacintosh.com - Manually updating MRT — Manually updating MRT on the fly!

Hat Tip to AndyInCali on MacAdmins Slack for the MRT -a !!!

Option #3 Manual Removal + Scripts and Links

Rich Trouton wrote a great script to manually remove zoom’s WebServer.

NOTE: Keep in mind trashing the app will NOT remove the ~/.zoomus Web Server. You will either need to kill the process and then overwrite the file like in Rich’s Script below or wait for MRT or install the new version which removes the Web Server.

derflounder.wordpress.com/2019/07/10/zoom-vulnerability-and-remediation-script/

You can follow a long thread on Jamf Nation

.jamf.com/jamf-nation/discussions/32561/zoom-exploit

You can also talk about the Zoom Vulnerability and join the #zoom channel in MacAdmins Slack.

Microarchitectural Data Sampling (MDS) Vulnerabilities Summary

MDS Summary by Jason Broccardo @zoocoup latest Intel chip vulnerability — MDS Summary by Jason Broccardo @zoocoup

Guest writer – Jason Broccardo – zoocoup.org – Twitter @zoocoup

Editor’s Note: This post is MrMacintosh.com’s first guest article. Jason posted a summary of this new venerability last night. It immediately reminded me of how he owned the coverage of the 10.14.4 Gmail problem and before that Spectre & Meltdown Vulnerabilities. Last night I posted an article on how to mitigate the issue (Disable Hyper-Threading) if you are looking for a detailed step by step .

Last Updated: Tue May 14 20:41:42 CDT 2019

Microarchitectural Data Sampling (MDS) Vulnerabilities Summary

At this point there are four identified vulnerabilities that all share a common root of forcing information to leak from the CPU’s buffer. Much like the Spectre vulnerabilities announced in 2018, these flaws could potentially allow the execution of malicious code or the extraction of information on machines with Intel processors (at this time ARM and AMD processors are not affected). Intel has released microcode firmware updates to address the issue at the hardware level but OS and application vendors will need to release additional software updates to patch potential exploit vectors from the software side.

The CVEs are:

These CVEs can also be referred to as RIDL, Fallout and Zombieload.

https://mdsattacks.com

https://zombieloadattack.com

New speculative execution bug leaks data from Intel chips’ internal buffers

https://arstechnica.com/gadgets/2019/05/new-speculative-execution-bug-leaks-data-from-intel-chips-internal-buffers/

New RIDL and Fallout Attacks Impact All Modern Intel CPUs

https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/

Understanding the MDS vulnerability: What it is, why it works and how to mitigate it

https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it?sc_cid=701f2000000tyBjAAI

MDS – Microarchitectural Store Buffer Data – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091

https://access.redhat.com/security/vulnerabilities/mds

Side Channel Vulnerability Microarchitectural Data Sampling

https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

OS Vendor Response

For all vendors, disabling Hyper-Threading is the recommendation for most complete mitigation but in all cases there will be a performance impact for doing so. Disabling Hyper-Threading involves manipulating EFI/BIOS/NVRAM and a restart of the computer..

“MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled.” —

Microarchitectural Data Sampling (MDS)

Apple

As of May 14th, 10.14.5 looks to be the only fully patched edition of macOS as Apple has noted that the version of Safari 12.1.1 included with 10.14.5 (Safari 12.1.1 also exists for macOS 10.12 and 10.13) contains additional fixes. It’s possible Apple will clarify the position of Safari 12.1.1 in 10.12 and 10.13 at a later date. Watch the two security documents below for additional changes.

From Apple on the Performance impact of disabling hyper-threading:

“The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.

Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.”

For Macs that support it, disabling Hyper-Threading requires booting to the Recovery Partition and editing NVRAM settings. There is no way to mass distribute these changes through MDM or script.

About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra

https://support.apple.com/en-us/HT210119

About the security content of Safari 12.1.1

https://support.apple.com/en-us/HT210123

Additional mitigations for speculative execution vulnerabilities in Intel CPUs

https://support.apple.com/en-us/HT210107

How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities

https://support.apple.com/en-ca/HT210108

These Mac models may receive security updates in macOS Mojave, High Sierra or Sierra, but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel:

1. MacBook (13-inch, Late 2009)
2. MacBook (13-inch, Mid 2010)
3. MacBook Air (13-inch, Late 2010)
4. MacBook Air (11-inch, Late 2010)
5. MacBook Pro (17-inch, Mid 2010)
6. MacBook Pro (15-inch, Mid 2010)
7. MacBook Pro (13-inch, Mid 2010)
8. iMac (21.5-inch, Late 2009)
9. iMac (27-inch, Late 2009)
10. iMac (21.5-inch, Mid 2010)
11. iMac (27-inch, Mid 2010)
12. Mac mini (Mid 2010)
13. Mac Pro (Late 2010)

Microsoft

Windows guidance to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4457951/windows-guidance-to-protect-against-speculative-execution-side-channel

ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

This article contains a chart (“Security Updates”) that provides links to the OS-appropriate update

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013

Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Summary of Intel microcode updates

https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

Ubuntu

Kernel updates are available for Ubuntu 14.04 through 10.04

https://usn.ubuntu.com/3977-1/

Microarchitectural Data Sampling (MDS)

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

Amazon Linux

Kernel update (ALAS-2019-1205) is available

https://alas.aws.amazon.com/ALAS-2019-1205.html

Redhat

Kernel and microcode updates are available for RHEL 6, 7 and 8

https://access.redhat.com/security/vulnerabilities/mds

Google

Hyper-threading has been disabled in ChromeOS 74

https://support.google.com/faqs/answer/9330250

Application & Service Vendor Response

Amazon AWS

Amazon has not yet detailed what, if any, mitigation will be needed for AWS services.

Google Chrome

“These have been adopted by Chrome and will be included in Chrome 75 which will be released to the Stable channel on or around the 4th of June.”

https://www.chromium.org/Home/chromium-security/mds

Mozilla Firefox

“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”

https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/

VMware

ESX updates

https://kb.vmware.com/s/article/67577?lang=en_US#q=CVE-2018-12130

Fusion

Update to version 11.1.0

https://kb.vmware.com/s/article/68025?lang=en_US#q=CVE-2018-12130

Workstation

Update to version 15.1.0

https://kb.vmware.com/s/article/68025?lang=en_US#q=CVE-2018-12130

(MDS) Vulnerabilities Summary by Jason Broccardo

ZombieLoad New Intel Chip Vulnerability How to enable full Mac mitigation

ZombieLoad MDS Intel Chip Vulnerability — ZombieLoad Logo from https://zombieloadattack.com

Updated with new info: 05/15/19 5:20 PM CST

Security researchers have found a new series of vulnerabilities in Intel chips dating back to 2011.

We now know why Apple released the 10.14.5 Combo update and the 2013-003 security updates early. Keeping with Apple’s normal release schedule, Combo and Security updates should have been released 2-3 weeks from now. The updates were released one day before news of the ZombieLoad New Intel Chip Vulnerability hit. This is great news, especially if you remember Apple’s response to the Meltdown & Spectre vulnerabilities. We had to push Apple to release fixes for 10.12 and 10.11 after the news hit.

NOTE: clarifying the situation.

The Mojave 10.14.5 update does the following

1. Updates Safari to version 12.1.1. “This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari.“
2. Enables the ability for you to enable full mitigation by Disabling Hyper-Threading (instructions listed below)

The 10.12 and 10.13 (2019-003) security update only does the following.

Enables the ability for you to enable full mitigation by Disabling Hyper-Threading (instructions listed below)
Safari 12.1.1 is a separate install for both 10.12 and 10.13. I can’t find any documentation that confirms Apple patched this for 10.13 & 10.12 Safari. This will be the page to watch to see if Apple adds more information later. support.apple.com/en-us/HT210123

All Macs from 2011 & forward are vulnerable to this new attack.

You can read about this from multiple news sites below. We have to worry about both Speculative Execution Vulnerabilities and Microarchitectural Data Sampling (MDS) vulnerabilities.

How can I protect my Mac?

Apple has released 2 documents today on the topic of mitigation.

How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities
support.apple.com/en-us/HT210108

Additional mitigations for speculative execution vulnerabilities in Intel CPUs
support.apple.com/en-us/HT210107

Do I need disable Hyper-Threading as mentioned in the above documents?

Almost all PC Vendors say YES, but Intel says NO. According to Apple “There are no known exploits affecting customers at the time”. The 10.14.5 combo update only covers updates to Safari (12.1.1) only. We will have to wait to see if this was addressed in the High Sierra and Sierra versions of 12.1.1. If you need full mitigation for the Mac you will need to disable Hyper-Threading.

Disabling Hyper-Threading

Let’s take a look at the instructions Apple gave us.

Step 1
Turn on or restart your Mac and immediately press and hold Command (⌘)-R or one of the other macOS Recovery key combinations on your keyboard.

oh no… If you are a MacAdmin you just realized this solution is not deployable by any means.

Step 2
From the Utilities menu in the menu bar, choose Terminal.

If you have a deployed T2 Mac with only one FV2 enabled standard user you will be out of luck. You can’t open terminal without a SecureToken Admin.

Step 3
Type the following two commands, one at a time, at the Terminal prompt. Press Return after each one.

nvram boot-args="cwae=2"

nvram SMTDisable=%01

Note #1 According to Apple you need to be on 10.14.5 or have 2019-003 installed on a 10.13 or 10.12 Mac for this to work.

Note #2 Apple mentions that disabling Hyper-Threading could “cause a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks”.

Let’s boot to recovery and try this out.

After typing in both commands you can check to see if they are set in nvram by typing in

nvram -xp

This will print out all the variables in nvram. You will be looking for 2 entries.

<key>boot-args</key>
<string>cwae=2</string>

<key>SMTDisable</key>
<data>
AQ==
</data>

If you see these the settings should be in play. All you need to do is restart to enable the new settings.

Note: I tried this out on a system that did NOT have the 2019-003 security update on it and the commands did work. The system booted and was acting normal. It is possible that without the security update installed the system does not understand the values. When I checked for the Hyper-Threading Technology field in System Information it did not exist. I DO NOT RECOMMEND YOU DO THIS! I just tested this out so you know what happens.

Confirm the settings worked and Hyper-Threading is disabled.

Click the Apple menu  click “About this Mac” then System Information. Under hardware you should see this.

How to revert back and enable HT again.

If you would like to revert the mitigation and reenable Hyper-Threading, reset NVRAM and restart your Mac. To reset the NVRAM remember you need to disable Firmware Password Protection.

GeekBench 4 Benchmark test

Figured it would be fun to run one test to see the performance hit when Hyper-Threading is disabled.

2017 15″ MbPro – Disabled = Multi-Core 14408
2017 15″ MbPro – Enabled = Multi-Core 14905

3.3% difference

Again this is only one test but sure seems far away from the 40% number.

Apple also notes the following

“If you previously set custom boot-args, you will need to add those boot-args to the nvram command.“

Note: The full mitigation is not enabled while using Boot Camp to run Windows on a Mac.

Disclaimer

As always when it comes to security, please be sure to test test test and follow Apple’s direct linked documentation if you need to enable security settings in a secure production environment.

Contact Me if you have anything to add to this Speculative Execution & ZombieLoad MDS Intel Chip Vulnerability article.