Intel is taking another shot at fixing critical security flaws in its processors. The new update will be rolled out in the coming weeks and will attempt to fix flaws relating to “microarchitectural data sampling”, also popularly known as Zombieload. This is the third update from Intel to fix similar flaws in its processors. The last two updates were released in May and November last year.
“These issues are closely related to INTEL-SA-00233, released in November 2019, which addressed an issue called Transactional Synchronization Extensions (TSX) Asynchronous Abort, or TAA. At the time, we confirmed the possibility that some amount of data could still potentially be inferred through a side-channel and would be addressed in future microcode updates,” said the company in a post on Monday.
“Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues. We continue to conduct research in this area – internally, and in conjunction with the external research community,” it added.
Zombieload is part of a new technique hackers have devised to target millions of PCs worldwide. Hackers aim to breach microprocessors of the system to gain access. Intel, which is one of the biggest PC chip players in the world, has been at the receiving end of these vulnerabilities. In the case of Zombieload, it exploits a feature on Intel chips, known as “speculative execution”, just like how the infamous Spectre and Meltdown attacks were conducted.
Intel in November had said ZombieLoad could allow hackers to gain access to users’ private data. The vulnerability was discovered even in its latest processors as well as chips manufactured since 2011.
While security experts have expressed concerns over the vulnerabilities in mass chips, Intel has put the latest loophole under the “low” category. The chipmaker said the latest exploit is quite complicated.
“This issue is rated ‘low’ as the user would first need to be authenticated on the target system, the high complexity of an attack, and low confidence in the attacker’s ability to target and retrieve relevant data,” the company said.