Checking MDS/Zombieload Mitigations on macOS with Osquery
As a part of a pretty crazy week (Microsoft/RDS, Apple/Mojave/High Sierra, Adobe Acrobat/ Flash Player) when it comes to security updates, some new speculative execution vulnerabilities were disclosed and fixed.
These vulnerabilities consist of those called RIDL, Fallout and Zombieload, though using CVE’s to track them is perhaps easier, as most of these names sound like awesome video games.
These vulnerabilities are similar to Meltdown/Spectre as they exploit speculative execution and caching features of CPUs, meant to improve performance. Like Meltdown/Spectre, long term fixes will require changes to CPUs, but mitigations by the operating system are possible. For a great summary of how these vulnerabilities are exploited, see Ars Technica.
Their mitigations also share some similarities. There are various levels of mitigation, and the complete deactivation of hyper-threading is the most secure but most performance impacting solution. I wrote in the past about how osquery can be used to ensure systems are properly protected against Meltdown/Spectre. On the Windows side, the story is similar – depending on your OS type and version (client / server, 2016 vs 2019), some mitigations are enabled by default and some are not. The matrix is relatively complex, but you can easily monitor the registry keys using the registry table, as well as leverage the kva_speculative_info table as mentioned in the Meltdown article.
MDS on Mac is not too different, in the sense that the latest macOS update (10.14.5) must be installed, which (Read more...)
*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Guillaume Ross. Read the original post at: https://www.uptycs.com/blog/checking-mds/zombieload-mitigations-on-macos-with-osquery
