Intel reveals vulnerabilities impacting system CPUs

In News

Intel has revealed a new class of vulnerabilities impacting all modern Intel chips, which can potentially leak sensitive data from a system’s CPU. Company officials said that the flaws, named Microarchitectural Data Sampling (MDS), comprise four different attacks, all of which depend on different ways side channel attacks to steal data from impacted systems.

These vulnerabilities are the result of a process called speculative execution in processors. This is used in microprocessors whereby memory can be read before the addresses of all prior memory writes are known. This means that an attacker with local user access can gain easy, unauthorized access to information.

“First identified by Intel’s internal researchers and partners, and independently reported to Intel by external researchers, MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques,” Intel said in a statement. “Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see.”  Interestingly, unlike previous attacks targeted at data within CPUs, MDS looks to a different component in the chip using speculative execution: Not data stored in the cache, but on buffers, such as Line Fill Buffers, Load Ports, or Store Buffers.

The  four attack vectors are called ZombieLoad, Fallout, RIDL (Rogue In-Flight Data Load) and Store-to-Leak Forwarding. The ZombieLoad attack refreshes your private browsing-history and allows to leak information from other applications, the operating system, virtual machines in the cloud and trusted execution environments, a report said.

The Store-To-Leak Forwarding exploits CPU optimizations introduced by the store buffer to monitor the operating system or leak data when combined with Spectre gadgets.

A statement from Intel said: “MDS vulnerabilities have been classified as low to medium severity per the industry standard CVSS, and it’s important to note that there are no reports of any real world exploits of these vulnerabilities.”

 

 

 

Comments

You may also read!

Security vulnerability in Bluetooth puts iOS and Windows 10 devices at risk

In a research paper titled Tracking Anonymized Bluetooth Devices, researchers have revealed that a security flaw in Bluetooth communication

Read More...

Humans cause nine out of ten data breaches in the cloud

Incidents in public cloud infrastructure are more likely to happen because of a customer’s employees rather than actions carried

Read More...

FireEye expands Managed Defense MDR services

FireEye, the intelligence-led security company, today announced the availability of two new managed detection and response (MDR) service offerings

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu