https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/
I introduce Spectre and Meltdown. Part III
This is pretty bad, and just as bad as the last two.
That along with the RDP vulnerability that came out recently.
![]() ![]() |
The frustrating part of these exploits is not so much the security vulnerability but rather Intel's solutions affecting performance. This microcode patch is going to be a 3% hit. Taking into consideration the previous patches as well we are looking at a 10% hit in total to performance.
-
Na AMD will be hit just as hard if they ever become big enough to target. Last I heard it's still sub 10% so unless you have something juicy its just not worth the effort. Both are pretty guilty of taking "shortcuts" in the name of performance that opens risk
Still, Fun fun fun been for IT guys patching this in secure enviroments
Beccara:
Still, Fun fun fun been for IT guys patching this in secure enviroments
I hear you.... But if you don't have a process to patch in airgapped networks then you're opening yourself up to compromise. All it takes is one idiot to inadvertently plug a non-authorized device into the network to bring it down. Anyone say UK NHS and WannaCry. That being said moving the USB thumb drive between networks to hold the patches is an attack vector, hence why you need to manage things properly.
premiumtouring:
The frustrating part of these exploits is not so much the security vulnerability but rather Intel's solutions affecting performance. This microcode patch is going to be a 3% hit. Taking into consideration the previous patches as well we are looking at a 10% hit in total to performance.
Which would pretty much revert us to the performance gains over the last 5+ years.
Yeah its all just man-hours, Almost just need to employ a person who does nothing but running around doing 0-day mitigation. Gotta love the MS blog title, They ain't messing around
Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
We've just published some blogs on the issue
Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.
"An Apple support document on the ZombieLoad vulnerability provides details for "full mitigation" protection that can be enabled for customers with computers at heightened risk or that run untrusted software on their Macs.
Full mitigation requires using the Terminal app to enable additional CPU instructions and disable hyper-threading processing technology, which is available for macOS Mojave, High Sierra, and Sierra, but not on certain older machines. Apple says full mitigation could reduce performance by up to 40 percent, so most users will not want to enable it.
According to Intel, its microcode updates will have an impact on processor performance, but for the patch that Apple released in macOS Mojave 10.14.5, there was no measurable performance impact. Apple's fix prevents the exploitation of ZombieLoad vulnerabilities via JavaScript in Safari."
As much as 40%. Jesus.
I'd be super interested in seeing CPU reviewers go back and re:benchmark these "patched" Intel processors, and see whether or not they still hold water versus the AMD counterparts in testing.
-
40%, seriously?
I am wondering what precedent there would be for a class action law suit?
I will be interested to see what Windows Performance hit ends up as?
Hopefully it's like the specter patches that had a 30% performance hit but only on some odd ball use cases. We saw 1-2% at best which was what others were seeing too
The 40% performance hit would come from disabling HYPErthreading, if and only if the target application set could actually advantageously use HYPErthreading.
It is interesting to note that BSD has HYPErthreading turned off by default, not only because of the security issues it brings, but also because many workloads - particularly server-type workloads - don't gain any advantage, and sometime a disadvantage, from having it on.
In the Windows world, it was regarded as Best Practice to turn off HYPErthreading for MS SQL Server instances, for example.
YMMV
And isn't it interesting to have both AMD and ARM come out and say words to the effect of "We don't have this issue, it's an Intel® special"
Both my iMac and MacBook, as part of 10.14.5 came up with firmware updates which has:
Hyper-Threading Technology: Enabled
In 'System Information' along with an updated BootROM which makes wonder whether it has been patched with the new microcode as well. I haven't noticed any performance degradation but then again I really haven't stress tested it much since the update.
"When the people are being beaten with a stick, they are not much happier if it is called 'the People's Stick'"
Worth keeping an eye on ARM and Intel but even with a 40% hit on everything Intel still win in thermal/power management in a rack
PolicyGuy:
It is interesting to note that BSD has HYPErthreading turned off by default
OpenBSD does, because Theo decided it would be so. Other BSD distros like FreeBSD, macOS haven't done this.
![]() ![]() |