Last year security researchers revealed a set of vulnerabilities affecting the speculative execution feature used by many modern processors to enhance performance. Since the revelation of the Spectre and Meltdown vulnerabilities, a number of related vulnerabilities have been disclosed and today Intel and several groups of security experts have revealed a new set.

The new vulnerabilities have names like ZombieLoad, RIDL, and Fallout, but Intel calls the new group of vulnerabilities “Microarchitectural Data Sampling,” or MDS.

While it’s unclear if malicious hackers have made use of the vulnerabilities, theoretically they allow an attacker to access data on a personal computer or cloud server that shouldn’t be publicly accessible.

Intel says it’s begun including hardware-based mitigations to help protect against this class of vulnerability with its 8th-gen and 9th-gen Core processors. But Intel is also releasing microcode updates for many chips released in the past decade, and working with operating system makers to take further steps to offer software-based mitigations.

But while those steps could help protect your data, they could also take a toll on performance of your computer.

That’s because one of the things you may be able to do to help protect a system from these vulnerabilities is to disable hyperthreading. So if you have a computer with a 2-core/4-thread processor or a 4-core/8-thread chip, you might find yourself limited to running only as many threads as you have CPU cores after a software update.

Depending on the activity, you might not notice much difference… or you could see a pretty significant performance hit.

Microsoft says it’s working with Intel to develop mitigations… and offers guidance for steps Windows users may be able to take now which may also include disabling hyper-threading

Google says it’s already disabled hyperthreading by default in Chrome OS 74, but users who want to manually re-enable it can do so by opening chrome://flags#scheduler-configuration and changing the Hyper-Threading option from “conservative” to “performance.”

Canonical says updated linux kernel, qemu, and intel-microcode packages for are “being published as part of the standard Ubuntu security maintenance” for all currently-supported versions of Ubuntu, and updates should be coming for many other GNU/Linux distributions as well. But Canonical still notes that some users may want to disable hyperthreading for enhanced security.

And Apple says the latest versions of macOS includes security updates for the Safari web browser and suggests users only download trusted apps from the Mac App Store to avoid malware that would exploit the vulnerabilities… which seems like a kind of odd response to such a massive vulnerability. But Apple also offers the option of disabling hyperthreading for “full mitigation for MDS in macOS.”

You can read more about the new MDS attacks in Intel’s “deep dive” analysis.

via CPU.fail, Tom’s Hardware, Ars Technica, and Hacker News

Share this article: Share this: Facebook

Twitter

Reddit

Pocket

Tumblr

Pinterest

LinkedIn

Email

