Big tech is stepping in to patch newly disclosed security flaws affecting almost every Intel chip since 2011.
Researchers on 14 May 2019 released details of the vulnerability, known as ZombieLoad — or microarchitectural data sampling (MDS) as its technical name — which can leak sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.
Apple released macOS fixes
Apple has fixes out for every Mac and MacBook released during and after 2011.
The tech giant said in an advisory that any system running macOS Mojave 10.14.5, released Monday, is patched. This will prevent an attack from being run through Safari and other apps. Most users won’t experience any decline in performance. But some Macs could face up to a 40% performance hit for those who opt-in to the full set of mitigations.
The security update will also be pushed to Sierra and High Sierra versions. iPhones, iPads and Apple Watch devices aren’t affected by the bugs.
Google patches Android, will update Chrome
The search and browser maker also confirmed it has released patches to mitigate against ZombieLoad.
Google said the “vast majority” of Android devices aren’t affected but Intel-only devices will need to be patched once device makers make updates available.
Chrome OS devices, such as Chromebooks, are already protected in the latest version, and permanent mitigations will be pushed to devices in the next version.
And, the company’s Chrome team has a technical advisory out, but said users should rely on patches for their computer. “Operating system vendors may release updates to improve isolation, so users should ensure they install any updates and follow any additional guidance from their operating system vendor,” said Google. In other words, make sure your Windows PC or your Mac is patched.
Google also rolled out patches to its data centers, so cloud customers are already patched, but should be aware of the company’s guidance.
Mozilla plans long-term Firefox fix
Firefox browser maker Mozilla said it’s got a long-term fix on the way.
“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
“Firefox Beta and Firefox Nightly already include the change,” the spokesperson said, adding that no action was recommended for browsers on Windows and Linux.
Microsoft rolls out Windows updates
Microsoft has released patches for its operating system and cloud.
Jeff Jones, a senior director at Microsoft, said the software and cloud giant has been “working closely with affected chip manufacturers to develop and test mitigations” for its customers. “We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips,” he said.
In a TechNet article, the company said customers may need to obtain directly from their device maker microcode updates for their processor. Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.
Software updates will be released Tuesday also through Windows Update. Microsoft also has a page with guidance for how to protect against the new attacks.
Microsoft Azure customers are already protected, the company said.
Amazon patches AWS
A spokesperson for Amazon has confirmed its cloud service Amazon Web Services has been updated to prevent attacks.
“AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS,” said an advisory posted on Amazon’s website. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.”