Older Macs could be vulnerable to attacks crafted along the same lines as ZombieLoad – the most recent worrying major vulnerability in Intel’s processors – thanks to a lack of updates from Intel for the CPUs of the relevant machines.
This is an interesting one, because Apple initially listed a number of ‘unsupported Mac models’ from 2009 and 2010 – laptops and desktop PCs alike – stating that those machines can receive security updates in macOS Mojave, High Sierra or Sierra, but wouldn’t be able to support ZombieLoad mitigations “due to a lack of microcode updates [for the processors] from Intel”.
Apple Insider reached out to Apple to clarify exactly what was meant by this, and the Mac maker confirmed that these Macs will remain vulnerable to attack vectors similar to ZombieLoad because of the lack of microcode updates from Intel, but potential attackers won’t be able to leverage ZombieLoad itself against these machines.
In other words, owners of these older Macs are safe from ZombieLoad – which doesn’t affect Intel processors made before 2011 – but not from potential future spins on similar speculative execution vulnerabilities. Not until Intel steps up to the plate and provides those relevant updates.
The full list of these older Macs (which are still supported by Apple as ‘vintage’ machines, or are capable of running Mojave, the latest version of macOS) is as follows:
- MacBook (13-inch, Late 2009)
- MacBook (13-inch, Mid 2010)
- MacBook Air (13-inch, Late 2010)
- MacBook Air (11-inch, Late 2010)
- MacBook Pro (17-inch, Mid 2010)
- MacBook Pro (15-inch, Mid 2010)
- MacBook Pro (13-inch, Mid 2010)
- iMac (21.5-inch, Late 2009)
- iMac (27-inch, Late 2009)
- iMac (21.5-inch, Mid 2010)
- iMac (27-inch, Mid 2010)
- Mac mini (Mid 2010)
- Mac Pro (Late 2010)
Full mitigation – at a cost
Apple has also previously confirmed there are no known instances of ZombieLoad actually being exploited against Mac users, and that those who are worried about the prospect – perhaps with computers holding particularly sensitive data, or those running untrusted apps – can enable ‘full mitigation’ on their machine.
This isn’t really recommended, though, because it involves disabling hyper- threading on top of the ZombieLoad security fixes. And that could entail a performance hit of up to 40%, Apple observes, with the greater impacts to be felt on machines with beefy multi-core processors running demanding computing tasks that use all those cores.
Most Macs won’t have their performance levels almost cut in half, of course, as this is a worst-case scenario – but 40% is certainly a suitably alarming figure to see at first glance.
This latest security hole with Intel’s chips – and the potential performance impact of fixes – may well be another reason that bolsters Apple’s rumored determination to switch away from Intel processors. Particularly given that Intel’s recent manufacturing woes and CPU stock shortages are apparently to blame for the recent slump in Mac sales, according to Apple.
While Apple has certainly suffered from its own security problems in the past, they pale in comparison to Intel’s recent history of glaring bugs in its silicon, and by making its own ARM processors, Apple would at least be the master of its own destiny when it comes to avoiding CPU vulnerabilities (and much more besides).
Finally, don’t forget we’ve got a full guide on how to protect your devices against the ZombieLoad attack.