New ZombieLoad attack can exploit all Intel chips dating back to 2011
The tech world has seen its share of large scale security problems over the years. Two of the largest in recent memory were the Meltdown and Spectre attacks made possible by flaws in Intel (and other) CPUs. But those were patched relatively quickly, and the vast majority of computers should never be exposed to a similar attack ever again. Right?
Don’t hold your breath. Researchers (some of whom helped discover the Spectre and Meltdown bugs) have detailed a new attack vector via a similar flaw in Intel CPUs. Dubbed “ZombieLoad,” the new attack is much the same as Spectre and Meltdown but seems to be limited to Intel CPUs only. Unfortunately, that includes Intel CPUs dating as far back as 2011, which would include most Intel-based computers still in use today.
ZombieLoad uses a flaw in an Intel chip’s speculative execution, which is a modern feature that helps the CPU predict user action and load data accordingly. Speculative execution helps with performance and generally benefits users by providing a smoother and faster computing experience. However, ZombieLoad can take advantage of similar flaws that made Spectre and Meltdown such large threats.
At its core, ZombieLoad exploits so-called “zombie loads” of data that a CPU can’t process cleanly. The CPU then invokes microcode to prevent a system crash. The ZombieLoad attack uses this opportunity to leak data from other applications, including passwords, keys, and some critically sensitive data.
Worse yet, ZombieLoad isn’t limited to a user’s machine. The attack can also be triggered in cloud servers and virtual machines, even those designed to run isolated from their host devices.
Researchers demonstrated ZombieLoad by accessing website data that was being viewed by a user in real time. The research team stated that the exploit could be retooled to nab passwords and sensitive data. ZombieLoad also doesn’t normally leave a trace, making an attack difficult to detect.
The good news is that it’s unlikely anyone has used the exploit in a large-scale attack. ZombieLoad, like Spectre (and to a degree Meltdown) requires quite a bit of skill to pull off properly, and there are simpler ways to steal information. After all, the weakest point in most computer systems’ security is the end user.
Intel has already released microcode patches, and other OEMs and service providers like Apple, Microsoft, and Google have released patches of their own. The downside is that Intel’s microcode patches will impact performance to some degree, although Intel told TechCrunch that the impact should be between 3-9%, depending on whether or not Hyperthreading was enabled. The exploit doesn’t seem to affect AMD- or ARM-based computers, so those users shouldn’t need any updates at this time.