More than a year after the Meltdown and Specter vulnerabilities hit the PC industry, Intel uncovered new, more serious security holes.
The new vulnerabilities are called Microarchitectural Data Sampling (MDS) and While-the-Processor Giant, and the security researchers who discovered them have never seen exploits in the wild. However, they were able to create their own exploits as a proof-of-concept.
Although the Intel chipsets released this year contain a bug fix, they are affecting all Intel microprocessors released since 2011. Therefore, previous versions need to be patched. These patches are already available, but some may reduce performance by up to 19 percent, depending on the chipset. Worse, the fixes for older chipsets do not completely alleviate the problems.
The security researchers who worked with Intel released their own information about the bugs, and everyone has created example exploits to demonstrate the issues. One group has called their exploits RIDL and Fallout.
"The speculative RIDL and Fallout Execution Attacks allow attackers to lose sensitive data across any security boundary on a victim system, such as websites," notes a new Web site created by a team of security researchers, Intel have informed the problems. "Our attacks lead to data loss by exploiting the newly discovered vulnerabilities in Microarchitectural Data Sampling (MDS) sidechannels in Intel CPUs. Unlike existing attacks, our attacks may lose any in-flight data from CPU-internal buffers (line fill buffers, load ports, memory buffers), including data that has never been stored in CPU caches. We show that the existing defenses against speculative execution attacks are inadequate and, in some cases, exacerbate the situation. Attackers can use our attacks to keep confidential data despite damage limitation due to security vulnerabilities in Intel CPUs.
A second group has created an exploit called ZombieLoad.
"The ZombieLoad attack can steal confidential data and keys while the computer is in use," notes the ZombieLoad website. "While programs typically only see their own data, a malicious program can exploit the stuffing buffers to gain secrets that are currently being processed by other programs running. These secrets can be user-level secrets, e.g. Browsing history, site content, user keys and passwords, or system-level secrets such as: B. Hard Disk Encryption Key. The attack not only works on PCs, but can also be exploited in the cloud.
Amazon, Apple, Google, Microsoft, and Mozilla claimed to have fixed the bugs.
"We are We are aware of this industry-wide problem and have worked closely with the affected chipmakers to develop and test remedies to protect our customers," states Microsoft. "We're working to provide cloud service protection and security updates to protect Windows customers from vulnerabilities that affect supported hardware chips." PC is vulnerable. In actual fact, however, you are vulnerable if you use an Intel chipset.
Tagged with Intel, Security