Following last year’s Meltdown and Spectre attacks, new Intel CPU vulnerabilities have emerged. Colloquially named “ZombieLoad,” Google has already taken steps to protect Chromebooks today, while Chrome OS 75 next month features additional mitigations.

“ZombieLoad” — also known as the Microarchitectural Data Sampling (MDS) vulnerabilities — is comprised of four issues that take advantage of CPU design flaws to let attackers read sensitive data. By visiting a website or running an Android app, users could execute code that exploits MDS to read sensitive memory contents.

If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies. The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).

Given that most Chromebooks are powered by Intel, Google identified 77 currently supported devices that are affected. This includes the Pixelbook and Pixel Slate, as well as Chromebooks from Asus, Acer, Dell, HP, Lenovo, and Samsung. A full list is available below.

Intel was made aware of this issue a month ago and has been working with partners on updated microprocessor microcode. Google’s solution disables Hyper-Threading by default with Chrome OS 74, which rolled out earlier this month.

According to Google, the performance loss should be minimal, but dependent on the workload. Hyper-Threading can be re-enabled on a per machine basis:

The setting is located at chrome://flags#scheduler-configuration. The “performance” setting chooses the configuration that enables Hyper-Threading. The “conservative” setting chooses the configuration that disables Hyper-Threading.

Chrome OS 75 next month will feature additional mitigations. As of Tuesday, May 14th, “Google is not aware of any active exploitation of the MDS vulnerabilities.”

On other Google platforms, the Chrome browser is dependent on Apple and Microsoft fixes for macOS and Windows, respectively. The few Android devices that run Intel are impacted, but Google notes that the “vast majority of Android devices are not affected” due to ARM. More details are available on Chromium and the MDS attacks site that describes the CPU vulnerabilities in-depth.

AOpen Chromebase Commercial Google Chromebook Pixel (2015)
AOpen Chromebox Commercial Google Pixelbook
ASI Chromebook HEXA Chromebook Pi
ASUS Chromebook C200MA
HP Chromebook 11 2100-2199 / HP Chromebook 11 G3
ASUS Chromebook C300MA
HP Chromebook 11 2200-2299 / HP Chromebook 11 G4/G4 EE
ASUS Chromebook Flip C302 HP Chromebook 13 G1
ASUS Chromebox 3 HP Chromebook 14
ASUS Chromebox CN60
HP Chromebook 14 ak000-099 / HP Chromebook 14 G4
ASUS Chromebox CN62 HP Chromebook x2
Acer C720 Chromebook HP Chromebook x360 14
Acer Chromebase 24
HP Chromebox CB1-(000-099) / HP Chromebox G1/ HP Chromebox for Meetings
Acer Chromebook 11 (C740) HP Chromebox G2
Acer Chromebook 11 (C771 / C771T) Haier Chromebook 11 G2
Acer Chromebook 13 (CB713-1W ) JP Sa Couto Chromebook
Acer Chromebook 15 (C910 / CB5-571) LG Chromebase 22CB25S
Acer Chromebook 15 (CB3-531) LG Chromebase 22CV241
Acer Chromebook Spin 13 (CP713-1WN) Lenovo 100S Chromebook
Acer Chromebox Lenovo N20 Chromebook
Acer Chromebox CXI2 Lenovo N21 Chromebook
Acer Chromebox CXI3 Lenovo ThinkCentre Chromebox
Bobicus Chromebook 11 Lenovo ThinkPad 11e Chromebook
CTL Chromebox CBx1 Lenovo Thinkpad X131e Chromebook
CTL N6 Education Chromebook M&A Chromebook
Chromebook 11 (C730 / CB3-111) Pixel Slate
Chromebook 11 (C735) RGS Education Chromebook
Chromebook 14 for work (CP5-471) Samsung Chromebook 2 11 – XE500C12
Chromebox Reference Samsung Chromebook Plus (LTE)
Consumer Chromebook Samsung Chromebook Plus (V2)
Crambo Chromebook Samsung Chromebook Pro
Dell Chromebook 11 Senkatel C1101 Chromebook
Dell Chromebook 11 (3120) Thinkpad 13 Chromebook
Dell Chromebook 13 3380 Toshiba Chromebook
Dell Chromebook 13 7310 Toshiba Chromebook 2
Dell Chromebox Toshiba Chromebook 2 (2015 Edition)
Dell Inspiron Chromebook 14 2-in-1 7486 True IDC Chromebook
Education Chromebook Videonet Chromebook
eduGear Chromebook R ViewSonic NMP660 Chromebox
Edxis Chromebook Yoga C630 Chromebook
Edxis Education Chromebook

 


Check out 9to5Google on YouTube for more news:

About the Author