Skip to main content

Intel processors hit with another serious security flaw impacting millions of PCs

Intel stickers
Intel stickers (Image credit: Windows Central)

What you need to know

  • Researchers at several institutions have discovered another serious security flaw in Intel processors.
  • The attack vector is similar to last year's Meltdown and Spectre flaws, and four variants have been proven to work so far.
  • Potentially millions of PCs and servers are affected, allowing hackers to gain access to sensitive data.
  • Microsoft is rolling out a fix today, while Intel says it has one ready to roll out on its end as well.

Early in 2018, two major vulnerabilities, dubbed Spectre and Meltdown, were discovered by researchers in Intel and AMD processors. While mitigations have since been released from Intel, AMD, Microsoft, and other major hardware and software companies, the method of attack, which takes advantage of a process called speculative execution, has led researchers to discover a set of four more attacks that impact Intel processors dating back to 2008, Wired reports.

Intel has collectively dubbed the attacks "Microarchitectural Data Sampling" (MDS). And while the set of four attacks all operate in a similar manner to Meltdown and Spectre, these new MDS attacks (ZombieLoad, Fallout, and RIDL) appear to be easier to execute. From Wired:

In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.

Each variant of the attack can be used as a gateway into viewing raw data that passes through a processor's cache before it is tossed discarded through the speculative execution process. If executed quickly in succession, a hacker could gather enough random data to piece together everything from passwords to the keys used to decrypt hard drives.

"In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components," VUSec, one of the firms that discovered the flaws, said in a paper set to be presented next week and seen by Wired.

A video of ZombieLoad, one of the four attacks, in action, showing how it can be used to log what websites you visit.

Those who discovered the attacks include researchers from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and Cyberus, BitDefender, Qihoo360 and Oracle, Wired says.

In speaking with Wired, Intel says its own researchers discovered the flaw last year and it now has fixes available at the hardware and software level. The company also says some processors shipped in last month have fixed the vulnerability.

However, Intel and the researchers disagree on the severity of the flaw. While Intel rates the attacks as "low to medium" in severity, researchers from the institutions that discovered the attacks told Wired that they could "reliably dig through that raw output to find the valuable information they sought."

For its part, Microsoft shipped a fix (opens in new tab) for Windows PCs today. In a statement to Wired, a Microsoft spokesperson said, "We're aware of this industry-wide issue and have been working closely with affected chip manufacturers to develop and test mitigations to protect our customers."

While fixes may be starting to become available, it will take time for them to be applied to PCs and servers affected by the four variants. That raises concerns that the attacks could be used on potentially millions of machines around the world to access sensitive data before they are patched, if at all.

Affordable accessories that'll pair perfectly with your PC

Every one of these awesome PC accessories will enhance your everyday experience — and none cost more than $30.

KLIM Aim RGB gaming mouse (opens in new tab) ($30 at Amazon)

Whether you're a gamer or not, this is an absurdly good mouse for the price. It's ambidextrous, has a responsive sensor, a braided cable, tank-like build quality, and, yes, it has RGB lighting, though you can turn it off if that's not your thing.

AmazonBasics USB speakers (opens in new tab) ($16 at Amazon)

These neat little speakers may only pack 2.4W of total power, but don't let that fool you. For something so small you get a well-rounded sound and a stylish design. And they only cost $16.

Razer mouse bungee (opens in new tab) ($20 at Amazon)

Use a wired mouse? You need a mouse bungee to keep your cable tidy and free of snags. You get no drag on the cable, and this one has subtle styling, a rust-resistant spring and a weighted base, all for $20.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

8 Comments
  • Flaw after flaw... again and again... it will stop someday? at this rate, Intel CPUs will be a bit better than trash...
  • After fixing all these flaws, your i9 is now i5 level performance.
  • "Researchers say the security flaw, which works similarly to the Meltdown and Spectre attacks discovered last year, affects Intel CPUs going back to 2008" It was discovered Last Year, but it is being reported Today!?
  • Yes, report things BEFORE fixes can be developed and rolled out. That makes sense.
  • You misread that line. The "discovered last year" is in the appositive, not the main sentence. Therefore, it applies to the details in the appositive, in this case the Meltdown and Spectre attacks.
  • Just wait until they find ARM issues, especially with Apple's CPUs. This whole thing smacks of industrial sabotage. Not usually a conspiracy guy, but ...
  • Looks at Ryzen PC with a smug face and grabs a cup of coffee
  • Your Ryzen CPU was still affected by these MDS flaws, and more vulnerabilities may appear in the future. No need to be so cocky.