Rewterz Threat Advisory – ZombieLoad Chip Flaws in Apple, Amazon, Google, Microsoft and Mozilla Products That Use Intel CPUs

Severity

Medium

Analysis Summary

Vulnerabilities have been reported known as ZombieLoad — or microarchitectural data sampling (MDS) as its technical name — which can leak sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.

These CPU side channel issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) are a set of speculative execution side-channel vulnerabilities which potentially allow results from previous execution on a core to be observed across security boundaries via microarchitectural state, on certain Intel CPUs.

An attacker successfully exploiting these vulnerabilities could read sensitive data from other processes running on the system, breaking the isolation between processes provided by modern operating systems. If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies.

Impact

• Information Disclosure
• Security Bypass

Affected Vendors

• Amazon
• Google
• Apple
• Microsoft
• Mozilla

Remediation

The affected vendors are patching these vulnerabilities in their products as follows: 

Mozilla: 

“The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”

Amazon:

All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.

Microsoft:

Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.

Apple

Apple has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs.

(The flaws do not affect Apple iOS devices or Apple Watch)

Google:

Android devices aren’t affected but Intel-only devices will need to be patched once updates are available.

• Chrome OS:

Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This provides protection against attacks using MDS.

• macOS

macOS Mojave 10.14.5 includes MDS mitigations. These have been adopted by Chrome and will be included in Chrome 75.

• Windows

Windows users should apply updates with MDS mitigations as soon as they are available

• Linux

Linux users should apply kernel and CPU microcode updates as soon as they are available from their distribution vendor, and follow any guidance to adjust system settings.

• iOS

Apple iOS devices use CPUs not known to be vulnerable to MDS.

• Android

Only Intel-based systems need to be patched once updates are available.