Quick Links

Current CPUs have design flaws. Spectre exposed them, but attacks like Foreshadow and now ZombieLoad exploit similar weaknesses. These "speculative execution" flaws can only truly be fixed by buying a new CPU with built-in protection.

Patches Often Slow Down Existing CPUs

The industry has been frantically scrambling to patch "side-channel attacks" like Spectre and Foreshadow, which trick the CPU into revealing information it shouldn't. Protection for current CPUs has been made available through microcode updates, operating system-level fixes, and patches to applications like web browsers.

Spectre fixes have slowed down computers with old CPUs, although Microsoft is about to speed them back up again. Patching these bugs often slows down performance on existing CPUs.

Now, ZombieLoad raises a new threat: To lock down and secure a system from this attack fully, you have to disable Intel's hyper-threading. That's why Google just disabled hyperthreading on Intel Chromebooks. As usual, CPU microcode updates, browser updates, and operating system patches are on their way to try to plug the hole. Most people shouldn't need to disable hyper-threading once these patches are in place.

New Intel CPUs Aren't Vulnerable to ZombieLoad

But ZombieLoad isn't a danger on systems with new Intel CPUs. As Intel puts it, ZombieLoad "is addressed in hardware starting with select 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable processor family." Systems with these modern CPUs aren't vulnerable to this new attack.

ZombieLoad just affects Intel systems, but Spectre also affected AMD and some ARM CPUs. It's an industry-wide problem.

CPUs Have Design Flaws, Enabling Attacks

As the industry realized when Spectre reared its ugly head, modern CPUs have some design flaws:

The problem here is with “speculative execution”. For performance reasons, modern CPUs automatically run instructions they think they might need to run and, if they don’t, they can simply rewind and return the system to its previous state...

The core problem with both Meltdown and Spectre lies within the CPU’s cache. An application can attempt to read memory and, if it reads something in the cache, the operation will complete faster. If it tries to read something not in the cache, it will complete slower. The application can see whether or not something completes fast or slow and, while everything else during speculative execution is cleaned up and erased, the time it took to perform the operation can’t be hidden. It can then use this information to build a map of anything in the computer’s memory, one bit at a time. The caching speeds things up, but these attacks take advantage of that optimization and turns it into a security flaw.

In other words, performance optimizations in modern CPUs are being abused. Code running on the CPU---perhaps even just JavaScript code running in a web browser---can take advantage of these flaws to read memory outside of its normal sandbox. In a worst-case scenario, a web page in one browser tab could read your online banking password from another browser tab.

Or, on cloud servers, one virtual machine could snoop on the data in other virtual machines on the same system. This isn't supposed to be possible.

Related: How Will the Meltdown and Spectre Flaws Affect My PC?

Software Patches Are Just Bandaids

It's no surprise that to prevent this sort of side channel attack, patches have made CPUs perform a bit more slowly. The industry is trying to add extra checks to a performance optimization layer.

The suggestion to disable hyper-threading is a pretty typical example: By disabling a feature that makes your CPU run faster, you're making it more secure. Malicious software can no longer exploit that performance feature---but it won't speed up your PC anymore.

Thanks to a lot of work from a lot of smart people, modern systems have been reasonably protected from attacks like Spectre without much slowdown. But patches like these are just bandaids: These security flaws need to be fixed at the CPU hardware level.

Hardware-level fixes will provide more protection---without slowing down the CPU. Organizations won't have to worry about whether they have the right combination of microcode (firmware) updates, operating system patches, and software versions to keep their systems secure.

As a team of security researchers put it in a research paper, these "are not mere bugs, but in fact, lie at the foundation of optimization." CPU designs will have to change.

Intel and AMD Are Building Fixes Into New CPUs

Hardware-level fixes aren't just theoretical. CPU manufacturers are working hard on architectural changes that will fix this problem at the CPU hardware level. Or, as Intel put it in 2018, Intel was "advancing security at the silicon level" with 8th-generation CPUs:

We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both [Spectre] Variants 2 and 3. Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors.

Intel previously announced that its 9th generation CPUs include additional protection against Foreshadow and Meltdown V3. These CPUs aren't affected by the recently revealed ZombieLoad attack so those protections must be helping.

AMD is working on changes, too, although no one wants to reveal many details. In 2018, AMD's CEO Lisa Su said: "Longer term, we have included changes in our future processor cores, starting with our Zen 2 design, to further address potential Spectre-like exploits."

For someone who wants the fastest performance without any patches slowing things down---or just an organization that wants to be completely sure its servers are as protected as possible---the best solution will be to buy a new CPU with those hardware-based fixes. Hardware-level improvements will hopefully prevent other future attacks before they're discovered, too.

Unplanned Obsolescence

While the press sometimes talks about "planned obsolescence"---a company's plan that hardware will become outdated so you'll have to replace it---this is unplanned obsolescence. No one expected that so many CPUs would have to be replaced for security reasons.

The sky isn't falling. Everyone is making it more difficult for attackers to exploit bugs like ZombieLoad. You don't have to race out and buy a new CPU right now. But a complete fix that doesn't hurt performance will require new hardware.