Using Chrome For Mac? Follow These Steps to Protect Yourself from ZombieLoad (Or Switch to Safari)

Chrome Icon On Mac Dock Credit: FOXARTBOX / Shutterstock
Text Size
- +

Toggle Dark Mode

ZombieLoad is the latest huge security vulnerability to make the news — a flaw in just about every Intel CPU released since 2011 that could allow malware to access anything running in memory on your Mac or PC, including extremely sensitive data like passwords and cryptographic keys.

The good news for most Mac users is that Apple has already released a fix; it’s part of the macOS 10.14.5 update for Mojave users, and a pair of security updates for High Sierra and Sierra, intended for those Macs that are stuck on older macOS versions. Between the three updates, every Mac with an Intel chip affected by the vulnerability will be automatically protected from the most vulnerable access point for the flaw — malware that could come from a malicious web page that you might happen to visit in Safari.

However, the standard fix only applies if you’re using Apple’s own Safari browser. Apple says it’s designed to prevent the exploitation via malicious JavaScript code that could be found on web sites, and notes that it’s managed to do this without sacrificing performance. If you’re using another browser, you pretty much have to rely on them to provide the same sort of fixes, and while Mozilla already has an update in the nightly builds that will be pushed out to the public next week, Google is passing the buck, saying that it’s up to the operating system vendors to address the vulnerability.

The Chrome team investigated various mitigation options Chrome could take independently of the OS, but none were sufficiently complete or performant. Users should rely on operating system level mitigations.

Chrome Team

This means that if you’re using Google Chrome — and want to keep using it — you’ll have to take some additional steps that Apple has provided in order to make sure that you’re protected against ZombieLand exploits.

Here’s how to fully harden your Mac against ZombieLand if you’re using Google Chrome:

  1. Run Software Update to ensure that you’ve installed either macOS 10.14.5 (if you’re on Mojave) or Security Update 2019-003 if you’re on High Sierra or Sierra.
  2. Restart your Mac while holding down CMD+R on your keyboard
  3. Your Mac should start in Recovery Mode. If this doesn’t happen, repeat step 2.
  4. From the Utilities menu, click Terminal
  5. At the Terminal prompt, type: nvram boot-args=”cwae=2
  6. Press Enter.
  7. Then type: nvram SMTDisable=%01
  8. Press Enter
  9. From the Apple ? menu, choose Restart to restart your Mac.

Following these steps will actually disable hyper-threading on your Mac’s Intel CPU, which will block any possibility of the ZombieLoad flaw being exploited, but could also cost you a performance hit of up to 40 percent, since you’re basically slowing down the CPU.

That said, it’s worth keeping in mind that this “full mitigation” fix isn’t just for Google Chrome — enabling it will completely protect you from any malware that might land on your Mac. However, since you likely have more direct control over any apps you specifically choose to install, there’s probably not a reason to take the 40 percent performance hit except to protect yourself against web-based attacks through the browser. Alternatively, you can of course simply switch to Safari, which is already patched, or Firefox, which soon will be.

You can also check that the fix has been enabled by looking for the hyper-threading status in your macOS System Information app:

  1. Click on the Apple ? Menu
  2. Click About This Mac
  3. Click the System Report button
  4. Select Hardware from the sidebar
Hyper Threading Disabled On Mac

The word “Disabled” should appear beside Hyper-Threading Technology.

Should you want to disable the full mitigation feature later and re-enable hyper-threading, you will need to Reset NVRAM on your Mac, which is done by holding down OPT+CMD+P+R for about 20 seconds while restarting your Mac.

Social Sharing