Earlier this week, a group of academics and security researchers disclosed a new vulnerability class impacting Intel CPUs.
Known as Microarchitectural Data Sampling (MDS) attacks, these vulnerabilities allow threat actors to retrieve data that is being processed inside Intel CPUs, even from processes an attacker's code should not have access.
CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout]
CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, or RIDL]
CVE-2018-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.
Below is a summary of all the fixes currently available for today's MDS attacks, along with support pages describing additional mitigation techniques.
In a security advisory, Intel said today that it released updated Intel microcode updates to device and motherboard vendors.
When would these microcode updates end up on users' computers, it's anybody's guess. If we're to learn anything from the Meltdown and Spectre patching process, the answer is probably never, and Microsoft will eventually have to step in and deliver Intel's microcode updates part of the Windows Update process, just like it did for Meltdown and Spectre last year.
Per this page, Google's cloud infrastructure has already received all the proper protections, similar to Azure. Some Google Cloud Platform customers may need to review some settings, but G Suite and Google Apps customers don't have to do anything.
Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This protects against MDS attacks, Google said.
Android users are not impacted. Google said OS-level mitigations should protect Chrome browser users.
Just like Google and Microsoft, Amazon said it already patched and applied mitigations to its cloud servers on behalf of its users.