BREAKING: New CPU Vulnerability Disclosed. Patches From Microsoft And Apple Inbound

There’s a new CPU vulnerability that has literally just been disclosed by researchers. It’s called ZombieLoad and it is similar to the Spectre and Meltdown CPU flaws that popped up a while ago. Here’s what you need to know:

“ZombieLoad,” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker just a month ago.

 Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.

 ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.

Speaking of those patches….:

Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips, Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are affected, and all Atom and Knights processors.

But other tech giants, like consumer PC and device manufacturers, are also issuing patches as a first line of defense against possible attacks.

Computer makers Apple  and Microsoft  and browser makers Google and Mozilla  are releasing patches today.

So as soon as those patches appear for your Windows 10 computer or Mac, I would install them to protect yourself. I’ll update this post as soon as patches pop up.

UPDATE: Apple just put up this page addressing this issue:

https://support.apple.com/en-us/HT210107

In short, Apple released mitigations when they released 10.14.5 as well as other software updates for older OSes that they still support.

UPDATE #2: Google has confirmed it has released patches to mitigate against ZombieLoad. The Chrome team has a technical advisory out that says that users should rely on patches for their computer. “Operating system vendors may release updates to improve isolation, so users should ensure they install any updates and follow any additional guidance from their operating system vendor,” said Google. In other words, make sure your Windows PC or your Mac is patched. Though I will point out that a new version of Chrome just hit my PC and Mac.

UPDATE #3: Microsoft has put up a document on this. And patches have apparently been released via Windows Update. Microsoft also has a page with guidance for how to protect against the new attacks. Meanwhile over at Amazon Web Services, AWS has been updated to prevent attacks.

UPDATE #4: VMware has released software updates for vCenter Server, ESXi, Workstation, and Fusion to mitigate this threat. Details here.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: