Following last year’s Meltdown and Spectre attacks, new Intel CPU vulnerabilities have emerged. Colloquially named “ZombieLoad,” Google has already taken steps to protect Chromebooks today, while Chrome OS 75 next month features additional mitigations.
“ZombieLoad” — also known as the Microarchitectural Data Sampling (MDS) vulnerabilities — is comprised of four issues that take advantage of CPU design flaws to let attackers read sensitive data. By visiting a website or running an Android app, users could execute code that exploits MDS to read sensitive memory contents.
If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies. The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).
Given that most Chromebooks are powered by Intel, Google identified 77 currently supported devices that are affected. This includes the Pixelbook and Pixel Slate, as well as Chromebooks from Asus, Acer, Dell, HP, Lenovo, and Samsung. A full list is available below.
Intel was made aware of this issue a month ago and has been working with partners on updated microprocessor microcode. Google’s solution disables Hyper-Threading by default with Chrome OS 74, which rolled out earlier this month.
According to Google, the performance loss should be minimal, but dependent on the workload. Hyper-Threading can be re-enabled on a per machine basis:
The setting is located at chrome://flags#scheduler-configuration. The “performance” setting chooses the configuration that enables Hyper-Threading. The “conservative” setting chooses the configuration that disables Hyper-Threading.
Chrome OS 75 next month will feature additional mitigations. As of Tuesday, May 14th, “Google is not aware of any active exploitation of the MDS vulnerabilities.”
On other Google platforms, the Chrome browser is dependent on Apple and Microsoft fixes for macOS and Windows, respectively. The few Android devices that run Intel are impacted, but Google notes that the “vast majority of Android devices are not affected” due to ARM. More details are available on Chromium and the MDS attacks site that describes the CPU vulnerabilities in-depth.
|AOpen Chromebase Commercial||Google Chromebook Pixel (2015)|
|AOpen Chromebox Commercial||Google Pixelbook|
|ASI Chromebook||HEXA Chromebook Pi|
|ASUS Chromebook C200MA||
HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
|ASUS Chromebook C300MA||
HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
|ASUS Chromebook Flip C302||HP Chromebook 13 G1|
|ASUS Chromebox 3||HP Chromebook 14|
|ASUS Chromebox CN60||
HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
|ASUS Chromebox CN62||HP Chromebook x2|
|Acer C720 Chromebook||HP Chromebook x360 14|
|Acer Chromebase 24||
HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings
|Acer Chromebook 11 (C740)||HP Chromebox G2|
|Acer Chromebook 11 (C771 / C771T)||Haier Chromebook 11 G2|
|Acer Chromebook 13 (CB713-1W )||JP Sa Couto Chromebook|
|Acer Chromebook 15 (C910 / CB5-571)||LG Chromebase 22CB25S|
|Acer Chromebook 15 (CB3-531)||LG Chromebase 22CV241|
|Acer Chromebook Spin 13 (CP713-1WN)||Lenovo 100S Chromebook|
|Acer Chromebox||Lenovo N20 Chromebook|
|Acer Chromebox CXI2||Lenovo N21 Chromebook|
|Acer Chromebox CXI3||Lenovo ThinkCentre Chromebox|
|Bobicus Chromebook 11||Lenovo ThinkPad 11e Chromebook|
|CTL Chromebox CBx1||Lenovo Thinkpad X131e Chromebook|
|CTL N6 Education Chromebook||M&A Chromebook|
|Chromebook 11 (C730 / CB3-111)||Pixel Slate|
|Chromebook 11 (C735)||RGS Education Chromebook|
|Chromebook 14 for work (CP5-471)||Samsung Chromebook 2 11 – XE500C12|
|Chromebox Reference||Samsung Chromebook Plus (LTE)|
|Consumer Chromebook||Samsung Chromebook Plus (V2)|
|Crambo Chromebook||Samsung Chromebook Pro|
|Dell Chromebook 11||Senkatel C1101 Chromebook|
|Dell Chromebook 11 (3120)||Thinkpad 13 Chromebook|
|Dell Chromebook 13 3380||Toshiba Chromebook|
|Dell Chromebook 13 7310||Toshiba Chromebook 2|
|Dell Chromebox||Toshiba Chromebook 2 (2015 Edition)|
|Dell Inspiron Chromebook 14 2-in-1 7486||True IDC Chromebook|
|Education Chromebook||Videonet Chromebook|
|eduGear Chromebook R||ViewSonic NMP660 Chromebox|
|Edxis Chromebook||Yoga C630 Chromebook|
|Edxis Education Chromebook|