If you’re in a panic to figure out how to turn off Intel’s Hyper-Threading feature to prevent ZombieLoad, the latest Spectre-like CPU security exploit, then take a deep breath—Intel’s official guidance does not actually recommend that. The bad news? None of what we tell you is going to make you feel any better.
ZombieLoad is similar to previous “side channel” attacks, which trick Intel processors into coughing up potentially sensitive information that would otherwise would be kept private by the CPU. The exploit hits most Intel chips and can be used on Windows, MacOS, and Linux, the ZombieLoad researchers said. ARM-based and AMD-based CPUs aren’t impacted.
“While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs,” the discoverers of the exploit said. “These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.”
Intel didn’t disagree with the exploit’s capabilities, just with how much of a risk ZombieLand is. Intel also decided to name the exploit Microarchitectural Data Sampling, or MDS. That’s a lot less scary sounding.
“MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel,” the company said. “Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.”
Intel said operating system, firmware, and hardware mitigations address many of the problems.
“Microarchitectural Data Sampling (MDS) is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family,” the company said in a statement. “For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today. We’ve provided more information on our website and continue to encourage everyone to keep their systems up to date, as it’s one of the best ways to stay protected.”
Intel officials also went out of their way to point out that the ZombieLoad research team worked with it and others in the PC industry to put fixes in place before disclosing the exploit.
“We’d like to extend our thanks to the researchers who worked with us and our industry partners for their contributions to the coordinated disclosure of these issues.”
Turn off Hyper-Threading?
The easiest fix, the ZombieLoad discoverers said in a document detailing the exploit, is to turn off Hyper-Threading on Intel processors:
“As ZombieLoad leaks loaded values across logical cores, a straightforward mitigation is disabling the use of Hyper-Threading. Hyper-Threading improves performance for certain workloads by 30 percent to 40 percent.”
But Intel said that’s not necessarily the only answer for all PC users. In fact, Intel said that it’s really up to each customer to decide what to do. If software cannot be guaranteed to be trusted then yes, maybe you'll want to disable Hyper-Threading. If your software only comes from the Microsoft Store or your IT department you’re likely OK leaving Hyper-Threading on. For all others, it’s really depends on how squeamish you are.
“Because these factors will vary considerably by customer, Intel is not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS,” Intel said in a statement.
So far, the reactions from operating system vendors have split.
Apple has issued updates for MacOS Mojave and said security-sensitive individuals can turn off Hyper-Threading if they want to, but the company doesn’t seem to be deactivating the feature by default.
Microsoft said it has rolled out software patches to help mitigate the problem, but also said customers would need to also obtain updated firmware from their PC makers.
With some operating system vendors deciding to leave whether or not to turn off Hyper-Threading up to end users, ZombieLoad's threat obviously isn't as serious as it first seemed on Tuesday morning. There are still no known examples of the exploit being used in an actual attack.
Chipping away at Hyper-Threading or turning it off completely would be a huge blow to the performance of Intel's processors. You wouldn’t believe it from some of the documentation Intel has released, however.
The company has tested its firmware and software mitigation and said it’s found relatively little performance impact after applying them. That's not really surprising. For the most part, the fixes for the original Spectre and Meltdown exploits were mostly a tempest in a teapot except under certain workloads.
Losing Hyper-Threading would be HUGE
Where we would vehemently disagree with Intel is its view that disabling Hyper-Threading is no big deal. On the same page, Intel demonstrates a nothing-to-see-here attitude if HT is turned off.
Our issue with Intel’s disingenuous demonstration of Hyper-Threading switched off is that it doesn’t use particularly multi-threaded workloads. If Intel’s tests used Blender or Cinebench or other multi-core CPU tests, you’d see such an immediate and massive nerf in performance that you’d start bawling.
To point out just how valuable Hyper-Threading is, the main difference between a $500 Core-i9 9900K and a $375 Core i7-9700K is Hyper-Threading. Switching off Hyper-Threading on an Intel CPU is a gut punch of epic proportions for those who need multi-threaded performance.
The only real silver lining is for those with the latest and greatest Intel CPUs. As the company said, many of its recent 8th-gen and 9th-gen processors already have hardware fixes in place—so there’s no reason to switch off Hyper-Threading on a Core i9-9900K whatsoever. ZombieLoad's danger apparently only applies to PCs with slightly older CPUs. Owners of those systems will have to depend on firmware and software updates to lower the risk, and to count on the fact there still aren’t any known attacks abusing the ZombieLoad exploit yet.