Apple Addresses Latest Intel Vulnerabilities With Mac Security Patches

Apple today weighed in on the most recent speculative execution vulnerability affecting Intel processors. In a support note, Apple detailed the steps the company took to mitigate the issues, both in macOS Mojave 10.14.5 and in standalone security patches for High Sierra and Sierra.
Supported Macs that have received one of the updates will automatically implement less drastic mitigations, such as a patch for Safari that is intended to prevent remote execution of the vulnerability via JavaScript. Apple also recommends that users modify their Gatekeeper settings to only allow the installation of applications from Apple’s Mac App Store.
But the primary solution as of now, and the one that is causing the most concern for Intel’s partners and customers, is the necessity of disabling Hyper-Threading to achieve the best protection from the security risks. Such a move can significantly reduce performance in many multi-threaded workflows — Apple claims a hit of as much as 40 percent — so Apple is leaving the option to disable Hyper-Threading up to Mac users.
The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.
How to Disable Hyper-Threading in macOS
Unlike their PC counterparts, Macs do not expose CPU settings such as Hyper-Threading in the EFI interface (well, except for Hackintoshes). The process to disable Hyper-Threading (a.k.a. enable “full mitigation for MDS”) therefore requires some work in Terminal.
After installing macOS Mojave 10.14.5 or the standalone security patches for Sierra and High Sierra, perform the following steps:
- Restart the Mac in Recovery Mode (hold Command-R) at startup.
- Once the Recovery interface loads, select Utilities > Terminal from the menu bar at the top of the screen.
- Enter the following commands, one at a time:
nvram SMTDisable=%01
- Restart the Mac.
To later re-enable Hyper-Threading, reset your Mac’s NVRAM by holding the Option+Command+P+R keys at startup until the Mac restarts again. Users can verify the status of Hyper-Threading by choosing Apple Menu > About This Mac > System Report. In the hardware section of the System Report, an entry will state if Hyper-Threading is enabled or disabled on your Mac.
As with previous speculative execution mitigations that resulted in performance degradation, Intel and its system partners are advising customers to weigh the performance costs against the risk of being affected by the exploit. Even with the news that these most recent vulnerabilities can be initiated remotely via JavaScript on a compromised website, individual users are generally less likely to be specifically targeted. It’s only for situations where data security is of prime importance that Intel and companies like Apple recommend users disable Hyper-Threading.