Now that most of the world has had time to forget about Spectre and Meltdown, let’s discuss Intel’s latest security flaw that could put users at risk of exposing sensitive information including but not limited to, website data, passwords, credit card information and cookies. (Don’t touch my cookies. Seriously, we’ll fight.)

ZombieLoad Attack

The newest vulnerability in Intel processors, ZombieLoad Attack, has been reported to affect Intel chips manufactured as far back as 2011. That means there is a very good chance you are at risk if you’re using an Intel-powered device. Additionally, your operating system won’t save you from the flaw. Chrome OS, Mac, Windows and Linux alike have all issued instructions on how to mitigate an attack.

What’s the risk?

ZombieLoad Attack takes advantage of MDS (Microarchitectural Data Sampling) which can allow an attacker to access sensitive information as it is accessed by the user. From the Chromium Project:

The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).

All major platforms are taking steps at varying degrees to mitigate the vulnerability but all agree that the only way to fully protect your system is to disable hyper-threading.

What is hyper-threading?

In layman’s terms, hyper-threading technology allows a processor’s physical core to be split into two virtual cores that can run two independent processes side-by-side. In some instances, this can result in efficiency increases in device performance.

Disabling this feature varies depending on your operating system but Google has taken an offensive approach and disabled hyper-threading by default in Chrome OS 74.

To protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations. via The Chromium Project

Vulnerable Chrome Devices

AOpen Chromebase Commercial

AOpen Chromebox Commercial

ASI Chromebook

ASUS Chromebook C200MA

ASUS Chromebook C300MA

ASUS Chromebook Flip C302

ASUS Chromebox 3

ASUS Chromebox CN60

ASUS Chromebox CN62

Acer C720 Chromebook

Acer Chromebase 24

Acer Chromebook 11 (C740)

Acer Chromebook 11 (C771 / C771T)

Acer Chromebook 13 (CB713-1W )

Acer Chromebook 15 (C910 / CB5-571)

Acer Chromebook 15 (CB3-531)

Acer Chromebook Spin 13 (CP713-1WN)

Acer Chromebox

Acer Chromebox CXI2

Acer Chromebox CXI3

Bobicus Chromebook 11

CTL Chromebox CBx1

CTL N6 Education Chromebook

Chromebook 11 (C730 / CB3-111)

Chromebook 11 (C735)

Chromebook 14 for work (CP5-471)

Chromebox Reference

Consumer Chromebook

Crambo Chromebook

Dell Chromebook 11

Dell Chromebook 11 (3120)

Dell Chromebook 13 3380

Dell Chromebook 13 7310

Dell Chromebox

Dell Inspiron Chromebook 14 2-in-1 7486

Education Chromebook

eduGear Chromebook R

Edxis Education Chromebook

Google Chromebook Pixel (2015)

Google Pixelbook

HEXA Chromebook Pi

HP Chromebook 11 2100-2199 / HP Chromebook 11 G3

HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE

HP Chromebook 13 G1

HP Chromebook 14

HP Chromebook 14 ak000-099 / HP Chromebook 14 G4

HP Chromebook x2

HP Chromebook x360 14

HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings

HP Chromebox G2

Haier Chromebook 11 G2

JP Sa Couto Chromebook

LG Chromebase 22CB25S

LG Chromebase 22CV241

Lenovo 100S Chromebook

Lenovo N20 Chromebook

Lenovo N21 Chromebook

Lenovo ThinkCentre Chromebox

Lenovo ThinkPad 11e Chromebook

Lenovo Thinkpad X131e Chromebook

M&A Chromebook

Pixel Slate

RGS Education Chromebook

Samsung Chromebook 2 11 – XE500C12

Samsung Chromebook Plus (LTE)

Samsung Chromebook Plus (V2)

Samsung Chromebook Pro

Senkatel C1101 Chromebook

Thinkpad 13 Chromebook

Toshiba Chromebook

Toshiba Chromebook 2

Toshiba Chromebook 2 (2015 Edition)

True IDC Chromebook

Videonet Chromebook

ViewSonic NMP660 Chromebox

Yoga C630 Chromebook

If users are concerned about performance loss on devices under heavy workloads, hyper-threading can be enabled following the steps outlined here. Additionally, admins can enable the feature for Enterprise via the admin console.

While we are obviously Chrome-centric, security is important no matter what brought you to our site. If you are operating on a system that’s not Chrome OS, you can find steps to disable hyper-threading for your specific OS at the links below.

Microsoft Windows

Apple MacOS

Red Hat (Linux)

Ubuntu

We will bring more updates on ZombieLoad Attack as we get them but for now, head to your settings page and make sure your Chromebook is up-to-date with the latest version. For more information on MDS, Hyper-threading and Chrome OS, check out the Chromium Project. You can also find information about other Google platforms that could be affected by ZombieLoad Attack here.

Source: Chromium Project, The Register