Why that 40% performance hit for full 'ZombieLoad' mitigations probably won't affect you
Tuesday's revelation of the existence of the "ZombieLoad" vulnerability and the subsequent patching of the issue in macOS has led some users to be angry about the potential 40% reduction in system performance for their Mac. While significant, that impact will really only impact a small percentage of Mac owners, while the vast majority of complainants are upset at something they just don't need to endure.
On Tuesday, researchers published details of a Meltdown and Spectre-like vulnerability in Intel's processors, that could allow for data to be acquired via a technique called "ZombieLoad," or Intel's sexier name for it, "Microarchitectural Data Sampling." By loading in data to a processor that cannot be properly processed, the processor can potentially leak the data from other apps, effectively allowing a malicious app to acquire sensitive data or to monitor the user's browsing habits.
Apple was quick to patch the problem as part of the macOS Mojave 10.14.5 update on Monday, protecting effectively all Macs released from 2011 onwards. The patch itself has no measurable performance hit on Macs when left alone in its default state, however this did not provide a full mitigation for the vulnerability.
This potential loss of performance immediately caused uproar from concerned users, though the anger is overblown, and not specific to the Mac.
A proof of concept for ZombieLoad showing it is able to monitor a user's browsing on a virtual machine on the Tor browser.
A loss of performance is only an issue if the person managing the Mac in question goes full bore on the mitigation. Unless the Mac is being used for highly secretive tasks, the user is a potential subject for hacking attempts by a sophisticated bad actor, or some other value-based reason, there isn't really a need to turn on the full mitigation.
And, disabling Hyper-Threading will have the same impact on Windows systems too -- which is why Microsoft doesn't advise it.
Along with Safari, those worried about the vulnerability, or malware in general, could easily take the time to update their security settings within macOS to download apps only from the Mac App Store. As apps from there are signed by Apple to make sure they aren't tampered with or altered, it makes the apps far safer to download than versions acquired from the internet.
That isn't to say that you shouldn't download software from other sources, but seasoned users who are capable of knowing a good source from a malicious one can easily avoid the potential hazard of installing malware that uses the vulnerability.
Outside of Safari, incoming patches for other browsers, and being careful about what is downloaded and installed from the Internet, that only leaves physical access to the Mac as the last avenue the vulnerability can be used. Quite frankly, at that point it becomes a case of either severe negligence on the user's part or it enters the realm of a highly sophisticated attack by a nation state or organization, making it highly unlikely to ever happen to almost anyone.
A source of AppleInsider within Apple corporate not authorized to speak on behalf of the company advised "The Mojave patch from Monday has robust protections for MDS vulnerabilities. If users feel that they are at a high-risk for related attacks, we've enabled the ability to turn off hyper-threading in total in Mojave, Sierra, or High Sierra."
There is also the fact that the vulnerability has so far been only displayed as a proof-of-concept attack, and that it requires a high level of expertise to pull off. "There are no 'in the wild' exploits at this time for macOS," said the AppleInsider source, "and we aren't expecting any."
Unless you are a journalist investigating a rogue government's corruption, a person of interest to agents of espionage, dealing with state secrets, or something on a similar level, there is not really any benefit to using the full mitigations and sacrificing your Mac's performance. To nearly all of our readers, the update with fixes in Safari should be enough as it is to alleviate worries without going further.
On Tuesday, researchers published details of a Meltdown and Spectre-like vulnerability in Intel's processors, that could allow for data to be acquired via a technique called "ZombieLoad," or Intel's sexier name for it, "Microarchitectural Data Sampling." By loading in data to a processor that cannot be properly processed, the processor can potentially leak the data from other apps, effectively allowing a malicious app to acquire sensitive data or to monitor the user's browsing habits.
Apple was quick to patch the problem as part of the macOS Mojave 10.14.5 update on Monday, protecting effectively all Macs released from 2011 onwards. The patch itself has no measurable performance hit on Macs when left alone in its default state, however this did not provide a full mitigation for the vulnerability.
Full-bore losses
A full mitigation could be applied, eliminating any possibility of the issue affecting a Mac, but in the process it disabled hyper-threading and, by Apple's estimates, reduce system performance by as much as 40%. This reduction only applied to anyone who enabled the full mitigation in the Mojave update, as well as those who installed Security Update 2019-003 for High Sierra and Sierra and similarly enabled it.This potential loss of performance immediately caused uproar from concerned users, though the anger is overblown, and not specific to the Mac.
A proof of concept for ZombieLoad showing it is able to monitor a user's browsing on a virtual machine on the Tor browser.
A loss of performance is only an issue if the person managing the Mac in question goes full bore on the mitigation. Unless the Mac is being used for highly secretive tasks, the user is a potential subject for hacking attempts by a sophisticated bad actor, or some other value-based reason, there isn't really a need to turn on the full mitigation.
And, disabling Hyper-Threading will have the same impact on Windows systems too -- which is why Microsoft doesn't advise it.
Safari and sourcing
For the vast majority of Mac (or Windows) users, there is no need to enable the full mitigation. As per Apple's notes on the fixes, the bulk of the alterations were made to Safari, preventing exploitation of the vulnerabilities via Javascript on a malicious website, and with "no measurable performance impact" to most users.Along with Safari, those worried about the vulnerability, or malware in general, could easily take the time to update their security settings within macOS to download apps only from the Mac App Store. As apps from there are signed by Apple to make sure they aren't tampered with or altered, it makes the apps far safer to download than versions acquired from the internet.
That isn't to say that you shouldn't download software from other sources, but seasoned users who are capable of knowing a good source from a malicious one can easily avoid the potential hazard of installing malware that uses the vulnerability.
Outside of Safari, incoming patches for other browsers, and being careful about what is downloaded and installed from the Internet, that only leaves physical access to the Mac as the last avenue the vulnerability can be used. Quite frankly, at that point it becomes a case of either severe negligence on the user's part or it enters the realm of a highly sophisticated attack by a nation state or organization, making it highly unlikely to ever happen to almost anyone.
A source of AppleInsider within Apple corporate not authorized to speak on behalf of the company advised "The Mojave patch from Monday has robust protections for MDS vulnerabilities. If users feel that they are at a high-risk for related attacks, we've enabled the ability to turn off hyper-threading in total in Mojave, Sierra, or High Sierra."
There is also the fact that the vulnerability has so far been only displayed as a proof-of-concept attack, and that it requires a high level of expertise to pull off. "There are no 'in the wild' exploits at this time for macOS," said the AppleInsider source, "and we aren't expecting any."
Unless you are a journalist investigating a rogue government's corruption, a person of interest to agents of espionage, dealing with state secrets, or something on a similar level, there is not really any benefit to using the full mitigations and sacrificing your Mac's performance. To nearly all of our readers, the update with fixes in Safari should be enough as it is to alleviate worries without going further.
Comments
Apple acted properly and quick in this case.
It would be a lot better if Apple removed this uncertain factor (Intel) from the equation and used A processors across the product lines.
Right. This really doesn't affect consumer PCs much. This is much more of a problem for servers and publicly accessible workstations. Anything with multiple, simultaneous logins from untrusted users can be a problem. For regular Mac and PC users, this is minor and almost certainly not noticeable. For Cloud Services providers like Amazon and Google, this is a big deal since you could theoretically buy time on a server, install malicious software in your own partition and snoop on other users using the same physical server hardware.
HOW would one even enable the “full bore mitigation” discussed here?
EDIT: I see the link to the kb article now. Not sure if that was added or I couldn’t see it the first time around.
Users buy machines to suit their needs, at some point these issues add up to computer that don’t get it done. It might take 1 patch or a dozen, but it’s only a matter of time before it hits their pocketbook.
What other recourse do users have besides being pissed? Intel needs to get the message somehow.
The problem is Mac users don’t have an option of jumping ship on Intel without (for AMD) without leaving their investment in the Mac ecosystem. Windows users have the option of giving Intel the finger... that said everyone is frustrated.
Yell loud, and yell long! Maybe Intel will get the message, security of their products are really freaking important.
Anger is a waste of energy in this case. There's no grounds to express anger. It's the wrong emotion. Shock, disappointment, sure... but why anger? It won't accomplish anything except create stress and reduce one's life expectancy.
I don’t know enough about AMD Zen2 processor lines (as referred to in the — unpaid? — ad near the top of the comments) to comment on moving laterally for some models of higher-end Macs, but you can rest assured that Apple: a) designed OS X to be fairly portable and b) is likely have versions of OS X running on just about any chip even marginally capable of supporting the full OS. Motorola taught Apple that lesson a very long time ago. If Apple came to an agreement with AMD, it would probably not be much work to make Boot Camp work with those chips.
It’s kind of sad to see Intel having so many (self-inflicted) problems these days. I hope they can turn things around.
LOL
DELL has upped their AMD server units from 1 to 4 lines. HP as well. Large contracts have been waiting on ROME to arrive, including Google, Amazon Web Services and more.
Apple will save massive amount of $$$ if they drop Intel and all the problems with it ?(i9 TDP?).
This kind of problem were the reason to drop nVidia -right? With this "40%" performance hit, customers will blame Apple while it's only Intel's fault.