According to a report by TechCrunch, security researchers have discovered a new round of security flaws affecting almost every Intel chip since 2011. The vulnerabilities, if exploited, can be used to steal sensitive information, such as passwords, private messages, secret keys, and account tokens, directly from the processor.
The newly found data-leaking bugs or “ZombieLoad” as the researchers are calling it, allow hackers to effectively exploit design flaws rather than injecting malicious code. ZombieLoad can leak any data currently loaded by the processor’s core, although Intel has said that patches to the microcode will help clear the processor’s buffers and prevent any data from being read.
While no attacks have been publicly reported so far, the researchers couldn’t rule them out since any attack wouldn’t necessarily leave a trace:
Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.
Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware.
Intel has now released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips, Intel Kaby Lake, Coffee Lake, Whiskey Lake, and Cascade Lake chips are affected, and all Atom and Knights processors.