ZombieLoad is the latest huge security vulnerability to make the news — a flaw in just about every Intel CPU released since 2011 that could allow malware to access anything running in memory on your Mac or PC, including extremely sensitive data like passwords and cryptographic keys.
The good news for most Mac users is that Apple has already released a fix; it’s part of the macOS 10.14.5 update for Mojave users, and a pair of security updates for High Sierra and Sierra, intended for those Macs that are stuck on older macOS versions. Between the three updates, every Mac with an Intel chip affected by the vulnerability will be automatically protected from the most vulnerable access point for the flaw — malware that could come from a malicious web page that you might happen to visit in Safari.
The Chrome team investigated various mitigation options Chrome could take independently of the OS, but none were sufficiently complete or performant. Users should rely on operating system level mitigations.Chrome Team
This means that if you’re using Google Chrome — and want to keep using it — you’ll have to take some additional steps that Apple has provided in order to make sure that you’re protected against ZombieLand exploits.
Here’s how to fully harden your Mac against ZombieLand if you’re using Google Chrome:
- Run Software Update to ensure that you’ve installed either macOS 10.14.5 (if you’re on Mojave) or Security Update 2019-003 if you’re on High Sierra or Sierra.
- Restart your Mac while holding down CMD+R on your keyboard
- Your Mac should start in Recovery Mode. If this doesn’t happen, repeat step 2.
- From the Utilities menu, click Terminal
- At the Terminal prompt, type: nvram boot-args=”cwae=2
- Press Enter.
- Then type: nvram SMTDisable=%01
- Press Enter
- From the Apple menu, choose Restart to restart your Mac.
Following these steps will actually disable hyper-threading on your Mac’s Intel CPU, which will block any possibility of the ZombieLoad flaw being exploited, but could also cost you a performance hit of up to 40 percent, since you’re basically slowing down the CPU.
That said, it’s worth keeping in mind that this “full mitigation” fix isn’t just for Google Chrome — enabling it will completely protect you from any malware that might land on your Mac. However, since you likely have more direct control over any apps you specifically choose to install, there’s probably not a reason to take the 40 percent performance hit except to protect yourself against web-based attacks through the browser. Alternatively, you can of course simply switch to Safari, which is already patched, or Firefox, which soon will be.
You can also check that the fix has been enabled by looking for the hyper-threading status in your macOS System Information app:
- Click on the Apple Menu
- Click About This Mac
- Click the System Report button
- Select Hardware from the sidebar
The word “Disabled” should appear beside Hyper-Threading Technology.
Should you want to disable the full mitigation feature later and re-enable hyper-threading, you will need to Reset NVRAM on your Mac, which is done by holding down OPT+CMD+P+R for about 20 seconds while restarting your Mac.