Intel processors hit with another security flaw that lets hackers access sensitive data

What you need to know

  • Researchers at several institutions have discovered another serious security flaw in Intel processors.
  • The attack vector is similar to last year's Meltdown and Spectre flaws, and four variants have been proven to work so far.
  • Potentially millions of PCs and servers are affected, allowing hackers to gain access to sensitive data.
  • Apple patched the flaw in recent Mojave and Safari updates. Microsoft is rolling out a fix today, and Intel says it has one ready to roll out on its end as well.

Early in 2018, two major vulnerabilities, dubbed Spectre and Meltdown, were discovered by researchers in Intel and AMD processors. While mitigations have since been released from Intel, AMD, Microsoft, and other major hardware and software companies, the method of attack, which takes advantage of a process called speculative execution, has led researchers to discover a set of four more attacks that impact Intel processors dating back to 2008, Wired reports.

Intel has collectively dubbed the attacks "Microarchitectural Data Sampling" (MDS). And while the set of four attacks all operate in a similar manner to Meltdown and Spectre, these new MDS attacks (ZombieLoad, Fallout, and RIDL) appear to be easier to execute. From Wired:

In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.

Each variant of the attack can be used as a gateway into viewing raw data that passes through a processor's cache before it is tossed discarded through the speculative execution process. If executed quickly in succession, a hacker could gather enough random data to piece together everything from passwords to the keys used to decrypt hard drives.

"In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components," VUSec, one of the firms that discovered the flaws, said in a paper set to be presented next week and seen by Wired.

A video of ZombieLoad, one of the four attacks, in action, showing how it can be used to log what websites you visit.

Those who discovered the attacks include researchers from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and Cyberus, BitDefender, Qihoo360 and Oracle, Wired says.

In speaking with Wired, Intel says its own researchers discovered the flaw last year and it now has fixes available at the hardware and software level. The company also says some processors shipped in last month have fixed the vulnerability.

However, Intel and the researchers disagree on the severity of the flaw. While Intel rates the attacks as "low to medium" in severity, researchers from the institutions that discovered the attacks told Wired that they could "reliably dig through that raw output to find the valuable information they sought."

For its part, Microsoft shipped a fix for Windows PCs today. In a statement to Wired, a Microsoft spokesperson said, "We're aware of this industry-wide issue and have been working closely with affected chip manufacturers to develop and test mitigations to protect our customers." Apple also tells Wired that it rolled out patches with recent Mojave and Safari updates.

While fixes may be starting to become available, it will take time for them to be applied to PCs and servers affected by the four variants. That raises concerns that the attacks could be used on potentially millions of machines around the world to access sensitive data before they are patched, if at all.

This post may contain affiliate links. See our disclosure policy for more details.

Latest And Best Prime Day Deals

Amazon's Fire TV Cube is down to just $70 thanks to this Prime Day deal
Amazon Fire TV Cube
$69.99 $119.99 Save $50

Save $80 on the Neato D4 robot vacuum during this Prime Day Lightning deal
Neato Robotics D4 Alexa-enabled laser-guided robot vacuum cleaner
$319.99 $400.00 Save $80

Time is running out. And so is the supply. Grab it while you can.

Grab TCL's 32-inch 720p Roku TV for less than $100 in this Prime Day Lightning deal
TCL 32S325 32-inch 720p Roku TV
$99.99 $130.00 Save $30

Act fast while you can. These Lightning deals tend to sell out quick.

The Ring Alarm security system is reaching new low prices for Prime Day
Ring Alarm home security systems

Various configurations of the Ring Alarm are discounted to their best prices yet exclusively for Prime members at Amazon through Tuesday night to help keep your home secure.

The Sonos Beam Prime Day deal includes a $40 discount and 2 $50 Amazon gift cards
The Sonos Beam Prime Day deal includes a $40 discount and $100 in Amazon gift cards
$359.00 $499.00 Save $140

That's just so much savings in one deal. You'll have to wait for the physical gift cards, but that's basically $100 to spend however you want.

Prime Day dropped this PlayStation 4 console bundle to just $250
PlayStation 4 Slim 1TB console with Marvel's Spider-Man and Horizon Zero Dawn
$249.99 $359.98 Save $110

This deal on the PlayStation 4 Slim console saves you $50 off its regular price while also including Marvel's Spider-Man and Horizon Zero Dawn Complete Edition for free. You'll just need an Amazon Prime membership to snag it.

The newest device in the Echo family, the Show 5, is now down to just $50
Echo Show 5
$49.99 $89.99 Save $40

It's only been on the market since May, but it hasn't escaped the Prime Day price cuts.

Amp up your home security with these huge Prime Day discount on nearly all Ring products
Save on Ring products today only

Whether you need a video doorbell, whole home alarm system, or some lights to brighten a dark area, Amazon has it all marked down today!

More Prime Day Deals