How to Enable Full Mitigation for MDS / Zombieload on Mac
Advanced Mac users who are in a particularly strong adversarial threat environment may feel the need to enable full mitigation for the Intel MDS processor vulnerability on their Mac computers (and PCs for that matter). MDS stands for Microarchitectural Data Sampling (MDS), colloquially called “Zombieload”, and is basically a vulnerability on the actual Intel processor itself that could theoretically lead to an attacker accessing sensitive data on any impacted Intel computer, Mac or PC. (If you follow security news closely, the Zombieload vulnerability is sort of like the Spectre and Meltdown security flaws last year).
While Apple has applied security patches to macOS Mojave 10.14.5 and Security Update 2019-003 for High Sierra and Sierra that should help to prevent trouble for most Mac users, other Mac users operating within unusually heightened security risk environments may feel the need to go further and enable full mitigation against MDS / Zombieload.
Enabling full mitigation for the Intel MDS vulnerability involves disabling hyper-threading on the CPU itself, which can result in a roughly 40% performance reduction on the machine. That’s obviously a pretty serious performance hit, and thus the vast majority of people should not bother with this since the vast majority of people will also not be under a security threat environment that would put them at risk for being targeted by this sort of vulnerability.
Nonetheless if you are particularly concerned about the Zombieload / MDS attack vector on a Mac with an Intel CPU, we’ll discuss how to enable full mitigation against the attack below.
How to Enable Full Mitigation Against Zombieload / MDS on Intel Macs
Remember, to enable full fitigation for MDS / Zombieload on a Mac you must disable CPU hyper-threading, resulting in a serious performance hit. The vast majority of Mac users should not bother with this.
Note the Mac must be running MacOS Mojave, macSO Sierra, MacOS High Sierra, or newer.
- First, install MacOS Mojave 10.14.5, or Security Update 2019 for High Sierra, or Security Update 2019 for Sierra (or later) on the Mac
- Go to the Apple menu and choose “Restart” to restart the Mac
- Immediately hold down Command+R upon restart to boot the Mac into Recovery Mode
- When you get to the Utilities screen, pull down the “Utilities” menu in the menubar and choose “Terminal”
- Type the following command, then hit return
- Next type the following command, and again hit return:
- Go to the Apple menu and choose “Restart” to restart the Mac
nvram boot-args="cwae=2"
nvram SMTDisable=%01
These directions for full mitigation come directly from Apple.
How to Revert Full MDS Mitigation and Enable Hyper-Threading on Mac
If you want to revert full mitigation of Zombieload / MDS and re-enable hyper-threading on the CPU, you will need to reset the Mac NVRAM / PRAM to clear out the defined nvram change made in the full mitigation. This is the same on all Mac models:
- Shut down the Mac
- Turn the Mac on, then immediately press and hold the COMMAND OPTION P R keys together
- Hold down the COMMAND OPTION P R keys concurrently for about 20 seconds, then release
- Release the keys after hearing the second boot chime (on Macs that play the boot sound), or after seeing the Apple logo (Macs with the T2 chip)
The Mac will now boot as usual with the NVRAM reset, hyper-threading enabled again, and full mitigation of MDS no longer in place.
You can also view NVRAM variables on a Mac from the command line if you aren’t certain what is set.
Note if you use a firmware password you may need to temporarily turn that off before being able to effectively reset NVRAM.
What is MDS / Zombieload anyway?
For some further background on MDS / Zombieload as well as the mitigation process, you may wish to refer to the support article from Apple which describes the MDS risk and full mitigation as follows:
Intel has disclosed vulnerabilities called Microarchitectural Data Sampling (MDS) that apply to desktop and notebook computers with Intel CPUs, including all modern Mac computers.
Although there are no known exploits affecting customers at the time of this writing, customers who believe their computer is at heightened risk of attack can use the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology, which provides full protection from these security issues.
This option is available for macOS Mojave, High Sierra and Sierra and may have a significant impact on the performance of your computer.
Furthermore, enabling full mitigation involves disabling hyper-threading on the Intel CPU, which can dramatically reduce performance. Apple describes this as follows:
The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factor
You might also be interested in reading more about Microarchitectural Data Sampling (MDS) directly from Intel here at Intel.com.
Another source of information about Zombieload / MDS is the official Zombieload Attack disclosure website here, created by the researchers who found the security vulnerability. The video below from those security researchers demonstrates a Zombieload attack being used to gather information from a targeted machine despite using TOR contained within a virtual machine (a serious security yikes!).
Again, the majority of Mac (and PC) users will not need to be overly concerned about these security vulnerabilities and likely will not need to bother with full mitigation by disabling hyper-threading. Simply installing macOS Mojave 10.14.5 and the relevant Security Update 2019-003 for High Sierra and/or Sierra helps to ward off potential risks for most Mac users. And as always, be sure to never install any sketchy or untrusted software as that should help considerably too, since nearly all of these type of vulnerabilities rely on some form of malware to take root in the first place.
Is there a simple way to show this fix is working? Out of curiosity I downloaded the 2019-003 update and tried it on my High Sierra system. The NVRAM log showed:
boot-args
cwae=2
SMTDisable
AQ==
Not knowing just what aspects of performance would be affected, I reformatted a batch of audio files. The timings I got were about 60 seconds before the fix and, after it was activated, about 75 seconds, an increase of 25%. If I considered myself a vulnerable target (I do not) I think I might accept the lower processing speed. Better does not mean only faster. Security and stability are better also.
My understanding was that full mitigation requires MacOS Mojave or later, as well as the boot-args.
But if NVRAM shows that hyper threading is disabled, it should be disabled. And if your performance is slower that might be an example too.
Your example is a little strange if performance is better, but perhaps the app you are using to convert audio files is able to be more efficient processing on a single core rather than multicore.
You could try a benchmarking app like GeekBench which measures multi-core vs single-core and that might be a better indicator.
Thanks for your comments, Bear. The article quotes Apple saying “This option is available for macOS Mojave, High Sierra and Sierra and may have a significant impact on the performance of your computer.” This is why I tried it on my High Sierra system which showed a significant 25% extra time to reformat a batch of mp3 files. I will take a look at GeekBench, but what I am really concerned about is to determine whether I have closed the security loophole or whether my computer simply ran slower after the NVRAM contents were written and a restart was done (I trust no-one in this business).
Is there also a way to disable those and the Spectre and Meltdown mitigations/hotfixes? I only use macOS for videogames and browsing meme websites. I have a separate machine for crucial stuff (and so should everybody else that can afford a Mac – proprietary systems are never to be trusted!). It feels like a waste of CPU cycles and inefficiency to have these mitigations enabled even if you don’t need them. I also use NoScript/ScriptBlock since a long time, so JS poses no real threat, rationally speaking.
I’ve looked all over the web already, I can’t seem to find anything except for every other operating system (Linux, Windows) and how to disable it there?
I’ve already tried booting up 10.13.1 kernel (AFAIK the last release without those slowdowns) with newer versions of 10.13, but without any luck (it always got stuck at bootup and then I gave up).
Any help would be deeply appreciated.
Great tips as always, OSXDaily!
We’re increasingly at a point with technology where if the data is digitized in any form, it is not safe, private, or secure. You have to expect this will only increase.
At what point will the obsession to digitize everything go backward, and organizations and people who are security and privacy conscious will opt for paper, safes, and physical access restriction?
We have entire industries whose entire purpose appears to be to maximize the invasion of privacy (social media, app tracking, etc). People are crazy to sign up for some of these services, but now is even using a computer going to be risky? Mac or PC, does not matter. Android or iPhone, does not matter. Will nothing be immune from hackers?
Uhm… when the oil runs out and the lights go off? :-)
When the world’s population crashes! Fewer people, slower lifestyle – more people, faster lifestyle and a need to process people and their activities in bulk. Without computers the major economies would crash anyhow.