Patch status for the new MDS attacks against Intel CPUs
Earlier today, a group of academics and security researchers disclosed a new vulnerability class impacting Intel CPUs.
Known as Microarchitectural Data Sampling (MDS) attacks, these vulnerabilities allow threat actors to retrieve data that is being processed inside Intel CPUs, even from processes an attacker’s code should not have access.
Four MDS attacks have been disclosed today, with Zombieload being considered the most dangerous of them all:
- CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout]
- CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, or RIDL]
- CVE-2018-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks.
Below is a summary of all the fixes currently available for today’s MDS attacks, along with support pages describing additional mitigation techniques.
In a security advisory, Intel said today that it released updated Intel microcode updates to device and motherboard vendors.
When would these microcode updates end up on users’ computers, it’s anybody’s guess. If we’re to learn anything from the Meltdown and Spectre patching process, the answer is probably never, and Microsoft will eventually have to step in and deliver Intel’s microcode updates part of the Windows Update process, just like it did for Meltdown and Spectre last year.
In the meantime, Intel has published a list of impacted Intel processors, complete with in-depth details about the status of available microcode updates for each CPU model.
Until the Intel microcode updates reach users’ computers, Microsoft has published OS-level updates to address the four MDS vulnerabilities.
Azure clients are already protected because Microsoft has already taken steps to patch its cloud infrastructure and mitigate the threat.
Mitigations for MDS attacks have been deployed with macOS Mojave 10.14.5, released today.
The fix has no “measurable performance impact,” the company added.
iOS devices use CPUs not known to be vulnerable to MDS, so they don’t need special mitigations, for now.
Google published a help page today that lists the status of each product and how it’s impacted by today’s MDS attacks.
Per this page, Google’s cloud infrastructure has already received all the proper protections, similar to Azure. Some Google Cloud Platform customers may need to review some settings, but G Suite and Google Apps customers don’t have to do anything.
Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This protects against MDS attacks, Google said.
Android users are not impacted. Google said OS-level mitigations should protect Chrome browser users.
Just like Google and Microsoft, Amazon said it already patched and applied mitigations to its cloud servers on behalf of its users.