News
News Categories

Intel is patching its 18-month-old Zombieload flaw for the third time

By Koh Wanzi - on 29 Jan 2020, 4:57pm

Intel is patching its 18-month-old Zombieload flaw for the third time

Image Source: Intel

Intel will issue a software update in the coming weeks to fix two more microarchitectural data sampling (MDS) flaws, also known as Zombieload or RIDL. This would be the third time that Intel is patching this particular type of vulnerability, having previously released two separate patches in May and November of 2019. 

The latest update is supposed to address two methods that attackers could use to exploit Intel chips via MDS. Researchers had warned Intel about the more serious of the two flaws in a paper a year go, while others had shared proof-of-concept code with the company last May. 

In an email to Wired, Cristiano Giuffrida, a researcher at Vrije Universiteit in Amsterdam who was one of the first to discover the MDS attacks had this to say about Intel: "Security engineering at Intel (or rather lack thereof) is still business as usual. These issues aren't trivial to fix. But after eighteen months, they're still waiting for researchers to put together proofs-of-concept of every small variation of the attack for them? It’s amazing. We don’t know the inner workings of Intel's team. But it’s not a good look from the outside."

Researchers have also criticised Intel's piecemeal approach to the MDS variants. Instead of trying to find the source of the flaws, Intel only releases a patch when researchers prove each individual variant, which means that further patches down the road are still a possibility.

The Zombieload flaws take advantage of a feature of Intel's processors known as speculative execution, much like the infamous Spectre and Meltdown vulnerabilities that surfaced back in 2018. Intel chips sometimes execute a command or access a part of a computer's memory before a program even asks, and this pre-emptive, or "speculative", behaviour is what's known as speculative execution.

However, compared to the MDS flaws Intel fixed previously, the latest ones have some limitations. For instance, one of them, referred to as L1 data eviction sampling, or L1DES, only works on Intel chips sold before Q4 2018. It also can't target a computer via its web browser, unlike some earlier MDS variants.

In addition, Intel says that to date, it is not aware of any use of these issues outside of a controlled lab environment.

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.