How bad is the Intel chip Zombieload security vulnerability? It depends on who you ask. But the potential is grave, with attackers being able to spy on your data. Yes, the fixes are in, but even with operating system patches’ new microcode, to fully protect your systems from potential Zombieload attackers, you must turn off Intel CPU hyper-threading.
If you don’t want your computers to run with one foot-in-the-bucket, you do not want to turn off hyper-threading. But are your systems safe without hyper-threading? Intel thinks you’d be OK. But then, what else would it say? Other companies disagree.
Canonical, the company behind Ubuntu Linux, recommended disabling hyper-threads — if the system is used to execute untrusted or potentially malicious code. Of course, no one means to run such code, but if you’re on a cloud, you have no control over what your neighbor in the next virtual machine (VM) over is running. Red Hat agreed that Zombieload can be especially dangerous on clouds.
As cloud-security company Twistlock CTO John Morello said, “This vulnerability is probably of greatest impact to dense, multi-tenant public cloud providers. In single-user environments, it’s far less interesting.”
Be that as it may, Apple and Google both warned their MacOS and Chrome OS users may want to disable hyper-threading to gain full protection. In fact, Google now disables hyper-threading by default starting with Chrome OS 74.
So, if you want to really protect your systems — virtual or physical — you must turn off hyper-threading. That comes at a terrible performance price.
Submitted by: Arnfried Walbrecht