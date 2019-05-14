Now that most of the world has had time to forget about Spectre and Meltdown, let’s discuss Intel’s latest security flaw that could put users at risk of exposing sensitive information including but not limited to, website data, passwords, credit card information and cookies. (Don’t touch my cookies. Seriously, we’ll fight.)
ZombieLoad Attack
The newest vulnerability in Intel processors, ZombieLoad Attack, has been reported to affect Intel chips manufactured as far back as 2011. That means there is a very good chance you are at risk if you’re using an Intel-powered device. Additionally, your operating system won’t save you from the flaw. Chrome OS, Mac, Windows and Linux alike have all issued instructions on how to mitigate an attack.
What’s the risk?
ZombieLoad Attack takes advantage of MDS (Microarchitectural Data Sampling) which can allow an attacker to access sensitive information as it is accessed by the user. From the Chromium Project:
The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).
All major platforms are taking steps at varying degrees to mitigate the vulnerability but all agree that the only way to fully protect your system is to disable hyper-threading.
What is hyper-threading?
In layman’s terms, hyper-threading technology allows a processor’s physical core to be split into two virtual cores that can run two independent processes side-by-side. In some instances, this can result in efficiency increases in device performance.
Disabling this feature varies depending on your operating system but Google has taken an offensive approach and disabled hyper-threading by default in Chrome OS 74.
To protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations.via The Chromium Project
Vulnerable Chrome Devices
|AOpen Chromebase Commercial
AOpen Chromebox Commercial
ASI Chromebook
ASUS Chromebook C200MA
ASUS Chromebook C300MA
ASUS Chromebook Flip C302
ASUS Chromebox 3
ASUS Chromebox CN60
ASUS Chromebox CN62
Acer C720 Chromebook
Acer Chromebase 24
Acer Chromebook 11 (C740)
Acer Chromebook 11 (C771 / C771T)
Acer Chromebook 13 (CB713-1W )
Acer Chromebook 15 (C910 / CB5-571)
Acer Chromebook 15 (CB3-531)
Acer Chromebook Spin 13 (CP713-1WN)
Acer Chromebox
Acer Chromebox CXI2
Acer Chromebox CXI3
Bobicus Chromebook 11
CTL Chromebox CBx1
CTL N6 Education Chromebook
Chromebook 11 (C730 / CB3-111)
Chromebook 11 (C735)
Chromebook 14 for work (CP5-471)
Chromebox Reference
Consumer Chromebook
Crambo Chromebook
Dell Chromebook 11
Dell Chromebook 11 (3120)
Dell Chromebook 13 3380
Dell Chromebook 13 7310
Dell Chromebox
Dell Inspiron Chromebook 14 2-in-1 7486
Education Chromebook
eduGear Chromebook R
Edxis Education Chromebook
Google Chromebook Pixel (2015)
|Google Pixelbook
HEXA Chromebook Pi
HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
HP Chromebook 13 G1
HP Chromebook 14
HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
HP Chromebook x2
HP Chromebook x360 14
HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings
HP Chromebox G2
Haier Chromebook 11 G2
JP Sa Couto Chromebook
LG Chromebase 22CB25S
LG Chromebase 22CV241
Lenovo 100S Chromebook
Lenovo N20 Chromebook
Lenovo N21 Chromebook
Lenovo ThinkCentre Chromebox
Lenovo ThinkPad 11e Chromebook
Lenovo Thinkpad X131e Chromebook
M&A Chromebook
Pixel Slate
RGS Education Chromebook
Samsung Chromebook 2 11 – XE500C12
Samsung Chromebook Plus (LTE)
Samsung Chromebook Plus (V2)
Samsung Chromebook Pro
Senkatel C1101 Chromebook
Thinkpad 13 Chromebook
Toshiba Chromebook
Toshiba Chromebook 2
Toshiba Chromebook 2 (2015 Edition)
True IDC Chromebook
Videonet Chromebook
ViewSonic NMP660 Chromebox
Yoga C630 Chromebook
If users are concerned about performance loss on devices under heavy workloads, hyper-threading can be enabled following the steps outlined here. Additionally, admins can enable the feature for Enterprise via the admin console.
While we are obviously Chrome-centric, security is important no matter what brought you to our site. If you are operating on a system that’s not Chrome OS, you can find steps to disable hyper-threading for your specific OS at the links below.
We will bring more updates on ZombieLoad Attack as we get them but for now, head to your settings page and make sure your Chromebook is up-to-date with the latest version. For more information on MDS, Hyper-threading and Chrome OS, check out the Chromium Project. You can also find information about other Google platforms that could be affected by ZombieLoad Attack here.
Source: Chromium Project, The Register