Security researchers have discovered vulnerabilities in Intel CPUs that could allow attackers to steal sensitive information directly from the processor.
Dubbed ZombieLoad, the vulnerability class – itself made up of four distinct attacks – impacts virtually all Intel chips from 2011 onwards, across both consumer and server markets. Intel, along with device manufacturers and operating system developers, have released patches – which impact performance.
Update your systems
ZombieLoad, discovered by researchers at Graz University of Technology in Austria and KU Leuven University in Belgium, allows for attackers to read data that is recently accessed or accessed in parallel on the same processor core.
In a proof-of-concept video, the researchers showed that the flaws could be exploited to see which websites a person is visiting in real-time, and could be used to learn passwords and other important information.
It can also be exploited in virtual machines, where different cloud customers may share the same system.
While no attacks have been reported, it may not be possible to trace an attack.
In response to the vulnerability, which it was informed about last year, Intel released microcode updates to OEMs for the majority of its processors. These are expected to impact performance, with the level of impact different depending on the workload.
Intel, which has named the vulnerabilities Microarchitectural Data Sampling (MDS), says that mostly the impact will be “relatively minimal,” but some data center instances could be slowed down by as much as 8 or 9 percent.
TU Graz and VUSec recommend that software makers disable hyperthreading, a feature in Intel chips that allows for more tasks to be performed in parallel. Intel contests this, rating the vulnerabilities’ severity as “low to medium.”
“It’s clear what Intel is doing,” VUSec researcher Cristiano Giufrrida told Wired. “It’s in their interest to say, ‘No, after Spectre and Meltdown, we didn’t overlook other vulnerabilities; it’s just that these were so minor that they slipped by.'”
Processors by Arm and AMD are not though to be affected.―DCD