Intel Chip Security Flaw Could Affect Millions

Share

Security researchers and Intel have recently disclosed a security vulnerability that has a major impact on a huge number of processors that Intel has released since 2011.

The ZombieLoad research follows January 2018 warnings over Spectre and Meltdown.

ZombieLoad and Store-to-Leak Forwarding are the new attack methods that the Graz University of Technology security researchers Daniel Gruss, Moritz Lipp and Michael Schwarz from the Institute for Applied Information Processing and Communication Technology at Graz University of Technology (Austria) and an global team have just published.

ZombieLoad (CVE-2018-12130) is the most unsafe vulnerability, although the researchers also found three others: CVE-2018-12126, CVE-2018-12127 and CVE-2019-11091.

Intel has warned of a quartet of serious security vulnerabilities in processors going back more than a decade, dubbed Microarchitecture Data Sampling (MDS) by Intel and RIDL, Fallout, and ZombieLoad by the researchers which discovered them.

"ZombieLoad is a novel category of side-channel attacks which we refer to as data-sampling attack", the researchers say in a Tuesday blog post.

These new attacks are reminiscent of Meltdown and Spectre, two vulnerabilities in Intel chips that were revealed a year ago.

More news: Skull and Bones Not Being Released Until After March 2020
More news: Trump grants full pardon to ex-press baron Conrad Black
More news: Vertonghen, Winks and Kane expected to be fit for Champions League final

It has also released microcode updates to address the vulnerabilities, although these could apparently have a 9% performance hit on cloud machines and around 3% on desktops and laptops.

Apple has already released the security updates in the latest macOS Mojave 10.14.5 operating system to protect users against these vulnerabilities, but to fully mitigate your Mac computer, you'll need to also disable hyper-threading processing technology and enable an additional CPU instruction, which, unfortunately, leads to 40 percent performance loss.

"It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them", Cristiano Giuffrida, a researcher on the project, told Wired. They called the vulnerabilities 'Zombieload'.

Intel says that attempting to use MDS methods to infer data would likely be hard and potentially time-consuming. But hackers can exploit the newly discovered vulnerabilities to steal the discarded data before it's deleted and read the contents.

Reporting the bugs to Intel a month ago, researchers found that flaws could be exploited to view which websites a person is browsing, but had the capability to grab passwords and access tokens.

While fixes may be starting to become available, it will take time for them to be applied to PCs and servers affected by the four variants. However, it said, that the influence on many PC owners should be minimum.

Share