An entire class of vulnerabilities in Intel chips allows attackers to steal data directly from the processor, according to new reports from a group of cybersecurity researchers from around the world. Intel, Apple, Google and Microsoft among other tech giants have released patches to address the flaws.
Today is a very good day to update all your devices and apps — and then turn auto-update on forever. Updating is one of the easiest and surest ways to quickly secure your devices. In the case of these new bugs, updating everything is the best thing you can do right now.
Apple, Google, and Microsoft have already released patches addressing the flaws. Everyone should update to the latest versions of MacOS, Windows, Android, and Chrome. The exploits don’t impact iPhones, iPads or the Apple Watch, TechCrunch reported. Google and Microsoft cloud customers are currently protected, we’ve reached out to Amazon to ask how they are addressing the issues for their cloud customers and will update when we hear back.
What are the bugs?
The bugs, which impact every Intel chip made since 2011, exploit a flaw in a chip feature called “speculative execution” so that attackers can steal sensitive data directly from a device’s CPU. That means an attacker could steal browser history, passwords, encryption keys or many more types of sensitive data.
No one knows if the bugs have been exploited by real attackers in the real world. Researchers say it’s difficult or impossible to tell because, unlike most other kinds of hacking, exploitation of these flaws may not leave any traces.
What do they do?
These new attacks are reminiscent of Meltdown and Spectre, two vulnerabilities in Intel chips that were revealed last year. The attacks are based on how Intel chips perform speculative execution, a feature where, in an attempt to optimize performance, the chip predicts and executes tasks before it’s even asked to do so. The new flaws show that attackers can use speculative execution to steal sensitive data as the chip works.
The researchers who found the bug put together a detailed website and wrote a white paper diving into their discoveries. From the white paper:
“While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys. The attack does not only work on personal computers but can also be exploited in the cloud.”
You should read the researchers’ website if you want to immerse yourself in the nitty-gritty technical details. What we hope to do in this article is to give you a high-level overview of what went wrong and then offer guidance on what exactly the new vulnerabilities mean for you.
The one-sentence takeaway for 99 percent of people, as mentioned above, is to update your devices right away.
The exploits discovered have names like ZombieLoad, Fallout, Store-to-leak forwarding, Meltdown UC and RIDL for “Rogue In-Flight Data Load.” Intel themselves calls the flaws “Microarchitectural Data Sampling” or MDS, a name that substitutes as a well-designed sleeping pill.
Here’s a crash course in the exploits: The ZombieLoad attack allows a hacker to spy on private browsing data and other sensitive data while Fallout and RIDL leak sensitive data across security boundaries. Store-to-leak forwarding and Meltdown UC combine with previously known exploits related to the Meltdown and Spectre vulnerabilities to steal sensitive data from the CPU.
In a message to Gizmodo, an Intel spokesperson said that MDS “is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable processor family. For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today.”
Here’s a video from researchers showing the ZombieLoad exploit in action. In this case, attackers are spying on a user as she visits websites — they’re able to succeed even though she’s using security and privacy-focused tools like the Tor Browser and the DuckDuckGo search engine. Ultimately, none of that matters in the face of these attacks.
“It’s kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them,” Cristiano Giuffrida, a researcher on the project, told Wired. “We hear anything that these components exchange.”
Patches released by Intel will likely have a small but real impact on performance ranging from three percent on consumer devices to nine percent on data center machines.
Although there is no indication one way or the other as to whether this has ever been exploited in the wild, the smart move is to update quickly and often in order to protect yourself as best you can.