Vulnerabilities have been reported known as ZombieLoad — or microarchitectural data sampling (MDS) as its technical name — which can leak sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.
These CPU side channel issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) are a set of speculative execution side-channel vulnerabilities which potentially allow results from previous execution on a core to be observed across security boundaries via microarchitectural state, on certain Intel CPUs.
An attacker successfully exploiting these vulnerabilities could read sensitive data from other processes running on the system, breaking the isolation between processes provided by modern operating systems. If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies.
The affected vendors are patching these vulnerabilities in their products as follows:
“The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.
Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.
Apple has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs.
(The flaws do not affect Apple iOS devices or Apple Watch)
Android devices aren’t affected but Intel-only devices will need to be patched once updates are available.
Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This provides protection against attacks using MDS.
macOS Mojave 10.14.5 includes MDS mitigations. These have been adopted by Chrome and will be included in Chrome 75.
Windows users should apply updates with MDS mitigations as soon as they are available
Linux users should apply kernel and CPU microcode updates as soon as they are available from their distribution vendor, and follow any guidance to adjust system settings.
Apple iOS devices use CPUs not known to be vulnerable to MDS.
Only Intel-based systems need to be patched once updates are available.