Intel failed to fix dangerous ‘ZombieLoad’ flaw affecting chips in MILLIONS of devices made by Apple, Microsoft, and Google
- Critical flaws in Intel chips continue to remain exploitable after a year
- Researchers say Intel has failed to patch them despite being aware of the issue
- One of three variants, ‘ZombieLoad,’ exploits flaws like Meltdown and Spectre
- It allows hackers to spy on sensitive data being transmitted, including passwords
Researchers say Intel has failed to fix critical flaws found inside widely used chips, leaving users’ most sensitive data exposed.
In a public announcement on Tuesday, security experts at Vrije Universiteit in Amsterdam said a variant of previously documented RIDL and ZombieLoad flaws continue to expose Intel chips’ internal architecture and jeopardize sensitive information like passwords and other personal data.
Those flaws have persisted despite multiple patches issued by Intel, who has claimed that the issues had been fully rectified.
Researchers say flaws discovered last year that expose sensitive information on millions of devices have persisted despite claims by Intel that they would be fixed
In May researchers say they informed Intel that their patch fell short of addressing several vulnerabilities but chose to remain silent on the shortcomings with the promise that Intel would fully patch them.
After six months, however, those flaws have persisted.
‘The mitigation they released in May, we knew it could be bypassed. It wasn’t effective,’ Kaveh Razavi, one of the researchers in Vrije Universiteit’s group told Wired.
‘They missed completely a variant of our attack—the most dangerous one.’
To make matters worse, Wired reports that researchers informed Intel at the time that the vulnerability was exploitable in just seconds as opposed to the hours previously thought.
On Tuesday, Intel admitted that its fixes do not completely prevent its chip flaws from being exploited.
‘We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,’ wrote Intel in a blog post.
‘Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques… and will be addressed in future microcode updates…’
Users can check to see if they’ve been affected using an online tool created by the researchers.
The attack variants include Fallout, RIDL and ZombieLoad, the last of which appears to be the most critical and operates by exploiting a design flaw in Intel chips to leak sensitive user data
ZombieLoad takes advantage of a design flaw in Intel chips that’s similar to what caused Meltdown and Spectre flaws documented in Intel chips this January.
It exploits a process called ‘speculative execution,’ wherein a processor works to predict what operations or data an application or system may need in the future.
With these new attacks, they target the ‘buffers’ between a chip’s components.
The attacks bypass security mechanisms in Intel’s speculative execution systems to siphon off sensitive data being transmitted in the chip, such as passwords, keys, account tokens or private messages.
‘In the split second between the command and the check, using this new form of attack we can see the pre-loaded data from other programs,’ security researcher Daniel Gruss said in a statement from May.
The issue was one of the more far-reaching in recent memory and according to previous reporting from impacted almost every computer with an Intel processor going back as early as 2011.
WHAT ARE THE MELTDOWN AND SPECTRE DESIGN FLAWS?
Security researchers at Google’s Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, exposed the two flaws in January.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory.
It was first discovered by Project Zero in June last year, when expert Jann Horn found that passwords, encryption keys, and sensitive information open in applications that should have been protected could be accessed.
Meltdown and Spectre could let cyber criminals steal data from nearly every computing device containing chips from Intel, AMD and Arm, putting billions of people worldwide at risk of being hacked
A second bug, called Spectre, affects chips from Intel, AMD and Arm.
This lets hackers potentially trick otherwise error-free applications into giving up secret information.
Project Zero disclosed the Meltdown vulnerability not long after Intel said it’s working to patch it.
Intel says the average computer user won’t experience significant slowdowns as it’s fixed.
