How to Enable Full Mitigation for MDS / Zombieload on Mac
Advanced Mac users who are in a particularly strong adversarial threat environment may feel the need to enable full mitigation for the Intel MDS processor vulnerability on their Mac computers (and PCs for that matter). MDS stands for Microarchitectural Data Sampling (MDS), colloquially called “Zombieload”, and is basically a vulnerability on the actual Intel processor itself that could theoretically lead to an attacker accessing sensitive data on any impacted Intel computer, Mac or PC. (If you follow security news closely, the Zombieload vulnerability is sort of like the Spectre and Meltdown security flaws last year).
While Apple has applied security patches to macOS Mojave 10.14.5 and Security Update 2019-003 for High Sierra and Sierra that should help to prevent trouble for most Mac users, other Mac users operating within unusually heightened security risk environments may feel the need to go further and enable full mitigation against MDS / Zombieload.
Enabling full mitigation for the Intel MDS vulnerability involves disabling hyper-threading on the CPU itself, which can result in a roughly 40% performance reduction on the machine. That’s obviously a pretty serious performance hit, and thus the vast majority of people should not bother with this since the vast majority of people will also not be under a security threat environment that would put them at risk for being targeted by this sort of vulnerability.
Nonetheless if you are particularly concerned about the Zombieload / MDS attack vector on a Mac with an Intel CPU, we’ll discuss how to enable full mitigation against the attack below.
How to Enable Full Mitigation Against Zombieload / MDS on Intel Macs
Remember, to enable full fitigation for MDS / Zombieload on a Mac you must disable CPU hyper-threading, resulting in a serious performance hit. The vast majority of Mac users should not bother with this.
Note the Mac must be running MacOS Mojave, macSO Sierra, MacOS High Sierra, or newer.
- First, install MacOS Mojave 10.14.5, or Security Update 2019 for High Sierra, or Security Update 2019 for Sierra (or later) on the Mac
- Go to the Apple menu and choose “Restart” to restart the Mac
- Immediately hold down Command+R upon restart to boot the Mac into Recovery Mode
- When you get to the Utilities screen, pull down the “Utilities” menu in the menubar and choose “Terminal”
- Type the following command, then hit return
- Next type the following command, and again hit return:
- Go to the Apple menu and choose “Restart” to restart the Mac
These directions for full mitigation come directly from Apple.
How to Revert Full MDS Mitigation and Enable Hyper-Threading on Mac
If you want to revert full mitigation of Zombieload / MDS and re-enable hyper-threading on the CPU, you will need to reset the Mac NVRAM / PRAM to clear out the defined nvram change made in the full mitigation. This is the same on all Mac models:
- Shut down the Mac
- Turn the Mac on, then immediately press and hold the COMMAND OPTION P R keys together
- Hold down the COMMAND OPTION P R keys concurrently for about 20 seconds, then release
- Release the keys after hearing the second boot chime (on Macs that play the boot sound), or after seeing the Apple logo (Macs with the T2 chip)
The Mac will now boot as usual with the NVRAM reset, hyper-threading enabled again, and full mitigation of MDS no longer in place.
You can also view NVRAM variables on a Mac from the command line if you aren’t certain what is set.
Note if you use a firmware password you may need to temporarily turn that off before being able to effectively reset NVRAM.
What is MDS / Zombieload anyway?
For some further background on MDS / Zombieload as well as the mitigation process, you may wish to refer to the support article from Apple which describes the MDS risk and full mitigation as follows:
Intel has disclosed vulnerabilities called Microarchitectural Data Sampling (MDS) that apply to desktop and notebook computers with Intel CPUs, including all modern Mac computers.
Although there are no known exploits affecting customers at the time of this writing, customers who believe their computer is at heightened risk of attack can use the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology, which provides full protection from these security issues.
This option is available for macOS Mojave, High Sierra and Sierra and may have a significant impact on the performance of your computer.
Furthermore, enabling full mitigation involves disabling hyper-threading on the Intel CPU, which can dramatically reduce performance. Apple describes this as follows:
The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factor
You might also be interested in reading more about Microarchitectural Data Sampling (MDS) directly from Intel here at Intel.com.
Another source of information about Zombieload / MDS is the official Zombieload Attack disclosure website here, created by the researchers who found the security vulnerability. The video below from those security researchers demonstrates a Zombieload attack being used to gather information from a targeted machine despite using TOR contained within a virtual machine (a serious security yikes!).
Again, the majority of Mac (and PC) users will not need to be overly concerned about these security vulnerabilities and likely will not need to bother with full mitigation by disabling hyper-threading. Simply installing macOS Mojave 10.14.5 and the relevant Security Update 2019-003 for High Sierra and/or Sierra helps to ward off potential risks for most Mac users. And as always, be sure to never install any sketchy or untrusted software as that should help considerably too, since nearly all of these type of vulnerabilities rely on some form of malware to take root in the first place.