Intel failed to fix dangerous ‘ZombieLoad’ flaw affecting chips in MILLIONS of devices made by Apple, Microsoft, and Google
- Critical flaws in Intel chips continue to remain exploitable after a year
- Researchers say Intel has failed to patch them despite being aware of the issue
- One of three variants, ‘ZombieLoad,’ exploits flaws like Meltdown and Spectre
- It allows hackers to spy on sensitive data being transmitted, including passwords
Researchers say Intel has failed to fix critical flaws found inside widely used chips, leaving users’ most sensitive data exposed.
In a public announcement on Tuesday, security experts at Vrije Universiteit in Amsterdam said a variant of previously documented RIDL and ZombieLoad flaws continue to expose Intel chips’ internal architecture and jeopardize sensitive information like passwords and other personal data.
Those flaws have persisted despite multiple patches issued by Intel, who has claimed that the issues had been fully rectified.
Researchers say flaws discovered last year that expose sensitive information on millions of devices have persisted despite claims by Intel that they would be fixed
In May researchers say they informed Intel that their patch fell short of addressing several vulnerabilities but chose to remain silent on the shortcomings with the promise that Intel would fully patch them.
After six months, however, those flaws have persisted.
‘The mitigation they released in May, we knew it could be bypassed. It wasn’t effective,’ Kaveh Razavi, one of the researchers in Vrije Universiteit’s group told Wired.
‘They missed completely a variant of our attack—the most dangerous one.’
To make matters worse, Wired reports that researchers informed Intel at the time that the vulnerability was exploitable in just seconds as opposed to the hours previously thought.
On Tuesday, Intel admitted that its fixes do not completely prevent its chip flaws from being exploited.
‘We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,’ wrote Intel in a blog post.
‘Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques… and will be addressed in future microcode updates…’
Users can check to see if they’ve been affected using an online tool created by the researchers.
The attack variants include Fallout, RIDL and ZombieLoad, the last of which appears to be the most critical and operates by exploiting a design flaw in Intel chips to leak sensitive user data
ZombieLoad takes advantage of a design flaw in Intel chips that’s similar to what caused Meltdown and Spectre flaws documented in Intel chips this January.
It exploits a process called ‘speculative execution,’ wherein a processor works to predict what operations or data an application or system may need in the future.
With these new attacks, they target the ‘buffers’ between a chip’s components.
The attacks bypass security mechanisms in Intel’s speculative execution systems to siphon off sensitive data being transmitted in the chip, such as passwords, keys, account tokens or private messages.
‘In the split second between the command and the check, using this new form of attack we can see the pre-loaded data from other programs,’ security researcher Daniel Gruss said in a statement from May.
The issue was one of the more far-reaching in recent memory and according to previous reporting from impacted almost every computer with an Intel processor going back as early as 2011.