X
Tech
Home Tech Security

MDS 'Zombieload' attacks against Intel CPUs: What's your patch status?

Where to get updates for Zombieland, RIDL, Fallout, and all the new Intel MDS vulnerabilities.
Written by Catalin Cimpanu, Contributor
Intel MDS attacks

read also

Earlier this week, a group of academics and security researchers disclosed a new vulnerability class impacting Intel CPUs.

Known as Microarchitectural Data Sampling (MDS) attacks, these vulnerabilities allow threat actors to retrieve data that is being processed inside Intel CPUs, even from processes an attacker's code should not have access.

Four MDS attacks have been disclosed today, with Zombieload being considered the most dangerous of them all:

  • CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout] 
  • CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, or RIDL] 
  • CVE-2018-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.

Below is a summary of all the fixes currently available for today's MDS attacks, along with support pages describing additional mitigation techniques.

Intel

In a security advisory, Intel said today that it released updated Intel microcode updates to device and motherboard vendors.

When would these microcode updates end up on users' computers, it's anybody's guess. If we're to learn anything from the Meltdown and Spectre patching process, the answer is probably never, and Microsoft will eventually have to step in and deliver Intel's microcode updates part of the Windows Update process, just like it did for Meltdown and Spectre last year.

In the meantime, Intel has published a list of impacted Intel processors, complete with in-depth details about the status of available microcode updates for each CPU model.

Microsoft

Until the Intel microcode updates reach users' computers, Microsoft has published OS-level updates to address the four MDS vulnerabilities.

Per Microsoft's MDS security advisory, OS updates are available for Windows and Windows Server, but also SQL Server databases.

Azure clients are already protected because Microsoft has already taken steps to patch its cloud infrastructure and mitigate the threat.

Apple

Mitigations for MDS attacks have been deployed with macOS Mojave 10.14.5, released today.

"This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari," Apple said.

The fix has no "measurable performance impact," the company added.

iOS devices use CPUs not known to be vulnerable to MDS, so they don't need special mitigations, for now.

Linux

The fragmented Linux ecosystem will be slow to receive patches. At the time of writing, only Red Hat and Ubuntu have announced fixes in their distro.

Google

Google published a help page today that lists the status of each product and how it's impacted by today's MDS attacks.

Per this page, Google's cloud infrastructure has already received all the proper protections, similar to Azure. Some Google Cloud Platform customers may need to review some settings, but G Suite and Google Apps customers don't have to do anything.

Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This protects against MDS attacks, Google said.

Android users are not impacted. Google said OS-level mitigations should protect Chrome browser users.

Amazon

Just like Google and Microsoft, Amazon said it already patched and applied mitigations to its cloud servers on behalf of its users.

Intel new 8th-gen Core vPro mobile processors

More vulnerability reports:

Editorial standards
Show Comments

Related

sleeping-penquingettyimages-128104898

If all kernel bugs are security bugs, how do you keep your Linux safe?

Linus Torvalds and Dirk Hohndel, Open Source Summit North America 2024

Linus Torvalds takes on evil developers, hardware errors and 'hilarious' AI hype

A ThruNite Archer flashlight lying on an old tree stump

Scared of the dark? You won't be if you get one of our favorite flashlights