What is ZombieLoad?

Over the last few weeks, a security exploit known as “ZombieLoad” has been published. This vulnerability, somewhat similar to Spectre and Meltdown in the past, allow attackers to abuse performance features on a computer in order to run arbitrary code without the administrator or user’s consent. There is a lot of information available about this issue and we recommend that all IT admins take some time to read up on the issue, starting with these suggested links:

  • https://zombieloadattack.com/

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130

What actions should CloudReady users take?

CloudReady, similar to Chrome OS, has automatic updates turned on by default, so as in the past, no action is necessary in order to receive security fixes unless you are currently restricting updates.

To ensure your school or business receives security updates as soon as they are available, make sure you are following all recommendations listed at https://network.neverware.com on your organization’s networks, and that you are not blocking/disabling device updates in your Google Admin console.

How is Neverware responding to these issues?

Yesterday, v74.4 of CloudReady was released to all Editions and all release channels of CloudReady. Along with normal improvements, that update includes mitigation strategies for ZombieLoad to match the changes Google has made for Chromebooks.

What are the security patches in v74.4?

To mitigate these new risks, Chrome OS and CloudReady v74 are disabling Intel’s "hyper-threading” wherever it is available. More about this fix, the rationale for implementing it, and the limited impact on performance can be found from the Chromium authors here:

In our testing so far, there have been limited changes to performance on CloudReady devices, even amongst our oldest machines.

Other and ongoing security patches

The Google and Chromium teams intend to ship additional improvements and protections in v75 and onwards to further limit any risk from ZombieLoad. As always, our commitment to security and reliability on CloudReady means that CloudReady devices will receive those same improvements when we release v75 and v76.

We will update this blog with any additional info as it becomes available.