INTEL IS PATCHING ITS ZOMBIELOAD CPU SECURITY FLAW FOR THE THIRD TIME
OVER THE last two years, security researchers have dug up one technique after another that lets a hacker trick Intel’s microprocessors into spilling a computer’s deepest secrets.
AS THOSE flaws have been exposed, chipmakers have scrambled to patch them. But for one serious form of those attacks, it turns out that Intel still hasn’t successfully patched the underlying problem despite 18 months of warnings — and not one but two failed attempts to do so.
A SUPERGROUP of researchers from nearly a dozen universities and security firms brought the MDS attack to light last May after warning Intel nearly a year earlier and holding their findings in secret at Intel’s request. Like the notorious Spectre and Meltdown attacks that surfaced in early 2018, it takes advantage of a feature of Intel's processors known as speculative execution.
ON MONDAY, the company said it will issue a software update “in the coming weeks” that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws.
THIS LATEST update comes after the company released two separate patches in May and November of last year.
COMPARED TO the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn’t work on Intel's more recent chips.
MOREOVER, A hacker can’t execute the attack using a web browser.
BUT THE fact that Intel has left variants of MDS unpatched for more than 18 months, in fact, raises the question of whether sophisticated hackers may have already used them on real targets, says Vrije Universiteit researcher Herbert Bos. Intel however says it’s “not aware” of anyone taking advantage of the flaws outside of the lab.
THE SECURITY advisory Intel released today gives the L1DES attack a severity rating of 6.5 out of 10. But the University of Michigan’s Daniel Genkin points out that Intel gave similarly low scores to other serious vulnerabilities in recent years, including Meltdown and Spectre.