Intel reveals ‘ZombieLoad’ flaw affecting its chips could put MILLIONS of devices at risk

Security researchers have discovered a new set of flaws in Intel processors that could leave users exposed to cyber-attacks akin to those caused by the Meltdown and Spectre vulnerabilities. 

The attack variants include Fallout, RIDL and ZombieLoad, the last of which appears to be the most critical and operates by exploiting a design flaw in Intel chips to leak sensitive user data. 

Chips made by Advanced Micro Devices and ARM Holdings are not affected by this latest vulnerability. 

However, it impacts ‘almost every computer’ with an Intel processor going back as early as 2011, according to TechCrunch. 

 

Users can check to see if they’ve been affected using an online tool created by the researchers.  

The flaws were discovered by a team of researchers from Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Germany’s Saarland University and a number of security firms. 

Intel also announced the vulnerabilities in a blog post published today, referring to the set as Microarchitectural Data Sampling (MDS).

‘Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see,’ the company explained. 

‘Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.’ 

Intel said it will ship future processors with the necessary hardware changes to address these vulnerabilities. 

The chip giant added that it has already begun rolling out updates to operating system and hypervisor software as a fix for the flaws.  

ZombieLoad takes advantage of a design flaw in Intel chips that’s similar to what caused the Meltdown and Spectre flaws. 

It exploits a process called ‘speculative execution,’ wherein a processor works to predict what operations or data an application or system may need in the future, TechCrunch noted. 

With these new attacks, they target the ‘buffers’ between a chip’s components. 

Hackers trick the user of a computer being powered by a targeted chip into falling prey, whether by accessing a malicious application or some other means.

The attacks bypass security mechanisms in Intel’s speculative execution systems to siphon off sensitive data being transmitted in the chip, such as passwords, keys, account tokens or private messages, according to TechCrunch. 

‘In the split second between the command and the check, using this new form of attack we can see the pre-loaded data from other programs,’ security researcher Daniel Gruss said in a statement. 

Many pointed out that hackers have no control over what data is being transmitted in a chip at a given time, so it’s possible that the attack wouldn’t return any worthwhile data.

If they were to carry out the attack repeatedly, however, hackers would most likely come away with some sensitive data.  

Users are recommended to update their devices in order to make sure they’re safeguarded from any possible attacks made possible by the flaw. 

Apple, Google and Microsoft have all released patches for users to download, TechCrunch noted. 

Systems running macOS Mojave 10.14.5 have already been patched and the company intends to issue fixes for Sierra and High Sierra versions as well.

Chrome OS devices are protected from attacks and many other Google products and services require no updates to be installed by the user.  

Microsoft will release software updates through Windows Update. 

loading...

Leave a Reply

Your email address will not be published. Required fields are marked *