Earlier this week, a group of academics and security researchers disclosed a new vulnerability class impacting Intel CPUs.
Known as Microarchitectural Data Sampling (MDS) attacks, these vulnerabilities allow threat actors to retrieve data that is being processed inside Intel CPUs, even from processes an attacker's code should not have access.
Four MDS attacks have been disclosed today, with Zombieload being considered the most dangerous of them all:
- CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout]
- CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, or RIDL]
- CVE-2018-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.
Below is a summary of all the fixes currently available for today's MDS attacks, along with support pages describing additional mitigation techniques.
In a security advisory, Intel said today that it released updated Intel microcode updates to device and motherboard vendors.
When would these microcode updates end up on users' computers, it's anybody's guess. If we're to learn anything from the Meltdown and Spectre patching process, the answer is probably never, and Microsoft will eventually have to step in and deliver Intel's microcode updates part of the Windows Update process, just like it did for Meltdown and Spectre last year.
In the meantime, Intel has published a list of impacted Intel processors, complete with in-depth details about the status of available microcode updates for each CPU model.
Until the Intel microcode updates reach users' computers, Microsoft has published OS-level updates to address the four MDS vulnerabilities.
Azure clients are already protected because Microsoft has already taken steps to patch its cloud infrastructure and mitigate the threat.
Mitigations for MDS attacks have been deployed with macOS Mojave 10.14.5, released today.
The fix has no "measurable performance impact," the company added.
iOS devices use CPUs not known to be vulnerable to MDS, so they don't need special mitigations, for now.
Google published a help page today that lists the status of each product and how it's impacted by today's MDS attacks.
Per this page, Google's cloud infrastructure has already received all the proper protections, similar to Azure. Some Google Cloud Platform customers may need to review some settings, but G Suite and Google Apps customers don't have to do anything.
Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This protects against MDS attacks, Google said.
Android users are not impacted. Google said OS-level mitigations should protect Chrome browser users.
Just like Google and Microsoft, Amazon said it already patched and applied mitigations to its cloud servers on behalf of its users.
More vulnerability reports:
- 'Unhackable' eyeDisk flash drive exposes passwords in clear text
- Security flaws in 100+ Jenkins plugins put enterprise networks at risk
- Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
- Intel CPUs impacted by new Zombieload side-channel attack
- Alpine Linux Docker images ship a root account with no password
- Microsoft May 2019 Patch Tuesday arrives with fix for Windows zero-day, MDS attacks
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic