Now that most of the world has had time to forget about Spectre and Meltdown, let’s discuss Intel’s latest security flaw that could put users at risk of exposing sensitive information including but not limited to, website data, passwords, credit card information and cookies. (Don’t touch my cookies. Seriously, we’ll fight.)
ZombieLoad Attack
The newest vulnerability in Intel processors, ZombieLoad Attack, has been reported to affect Intel chips manufactured as far back as 2011. That means there is a very good chance you are at risk if you’re using an Intel-powered device. Additionally, your operating system won’t save you from the flaw. Chrome OS, Mac, Windows and Linux alike have all issued instructions on how to mitigate an attack.
What’s the risk?
ZombieLoad Attack takes advantage of MDS (Microarchitectural Data Sampling) which can allow an attacker to access sensitive information as it is accessed by the user. From the Chromium Project:
The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).
All major platforms are taking steps at varying degrees to mitigate the vulnerability but all agree that the only way to fully protect your system is to disable hyper-threading.
What is hyper-threading?
In layman’s terms, hyper-threading technology allows a processor’s physical core to be split into two virtual cores that can run two independent processes side-by-side. In some instances, this can result in efficiency increases in device performance.
Disabling this feature varies depending on your operating system but Google has taken an offensive approach and disabled hyper-threading by default in Chrome OS 74.
To protect users, Chrome OS 74 disables Hyper-Threading by default. For the majority of our users, whose workflows are primarily interactive, this mitigates the security risk of MDS without a noticeable loss of responsiveness. Chrome OS 75 will contain additional mitigations.
via The Chromium Project
Vulnerable Chrome Devices
- AOpen Chromebase Commercial
- AOpen Chromebox Commercial
- ASI Chromebook
- ASUS Chromebook C200MA
- ASUS Chromebook C300MA
- ASUS Chromebook Flip C302
- ASUS Chromebox 3
- ASUS Chromebox CN60
- ASUS Chromebox CN62
- Acer C720 Chromebook
- Acer Chromebase 24
- Acer Chromebook 11 (C740)
- Acer Chromebook 11 (C771 / C771T)
- Acer Chromebook 13 (CB713-1W )
- Acer Chromebook 15 (C910 / CB5-571)
- Acer Chromebook 15 (CB3-531)
- Acer Chromebook Spin 13 (CP713-1WN)
- Acer Chromebox
- Acer Chromebox CXI2
- Acer Chromebox CXI3
- Bobicus Chromebook 11
- CTL Chromebox CBx1
- CTL N6 Education Chromebook
- Chromebook 11 (C730 / CB3-111)
- Chromebook 11 (C735)
- Chromebook 14 for work (CP5-471)
- Chromebox Reference
- Consumer Chromebook
- Crambo Chromebook
- Dell Chromebook 11
- Dell Chromebook 11 (3120)
- Dell Chromebook 13 3380
- Dell Chromebook 13 7310
- Dell Chromebox
- Dell Inspiron Chromebook 14 2-in-1 7486
- Education Chromebook
- eduGear Chromebook R
- Edxis Education Chromebook
- Google Chromebook Pixel (2015)
- Google Pixelbook
- HEXA Chromebook Pi
- HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
- HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
- HP Chromebook 13 G1
- HP Chromebook 14
- HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
- HP Chromebook x2
- HP Chromebook x360 14
- HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings
- HP Chromebox G2
- Haier Chromebook 11 G2
- JP Sa Couto Chromebook
- LG Chromebase 22CB25S
- LG Chromebase 22CV241
- Lenovo 100S Chromebook
- Lenovo N20 Chromebook
- Lenovo N21 Chromebook
- Lenovo ThinkCentre Chromebox
- Lenovo ThinkPad 11e Chromebook
- Lenovo Thinkpad X131e Chromebook
- M&A Chromebook
- Pixel Slate
- RGS Education Chromebook
- Samsung Chromebook 2 11 – XE500C12
- Samsung Chromebook Plus (LTE)
- Samsung Chromebook Plus (V2)
- Samsung Chromebook Pro
- Senkatel C1101 Chromebook
- Thinkpad 13 Chromebook
- Toshiba Chromebook
- Toshiba Chromebook 2
- Toshiba Chromebook 2 (2015 Edition)
- True IDC Chromebook
- Videonet Chromebook
- ViewSonic NMP660 Chromebox
- Yoga C630 Chromebook
If users are concerned about performance loss on devices under heavy workloads, hyper-threading can be enabled following the steps outlined here. Additionally, admins can enable the feature for Enterprise via the admin console.
While we are obviously Chrome-centric, security is important no matter what brought you to our site. If you are operating on a system that’s not Chrome OS, you can find steps to disable hyper-threading for your specific OS at the links below.
We will bring more updates on ZombieLoad Attack as we get them but for now, head to your settings page and make sure your Chromebook is up-to-date with the latest version. For more information on MDS, Hyper-threading and Chrome OS, check out the Chromium Project. You can also find information about other Google platforms that could be affected by ZombieLoad Attack here.
Source: Chromium Project, The Register
Leave a Reply
You must be logged in to post a comment.