Skip to main content

Intel 'fixes' Zombieload for third time—the CPU flaw that won't die

(Image credit: Mau47/Shutterstock)

Intel's zombies won't stay dead. 

The chipmaker on Monday announced a third patch meant to address vulnerabilities that have plagued its processors for over a year. 

Expected in "the near future," these updates will fix two additional Zombieload vulnerabilities that were publicly disclosed by researchers as early as June 2018. Intel released two separate patches in May and November last year but those blocked only certain, not all threats. 

These latest issues are related to a flaw called TSX asynchronous abort, or TAA, which is in the same family as the microarchitectural data sample (MDS) vulnerability that gives malicious programs the keys to read data they shouldn't have access to. 

When exploited, attackers could force a chip to leak sensitive information, including passwords and browsing history. The vulnerability affects all Intel processors released since 2011, including its latest processors. 

Intel was aware that a threat remained, even after it pushed out the second of its Zombieload patches. 

"At the time, we confirmed the possibility that some amount of data could still potentially be inferred through a side-channel and would be addressed in future microcode updates," Intel wrote. 

How serious is this latest flaw?

Intel downplayed the significance of these latest vulnerabilities, giving one of them (CVE-2020-0548) a Common Vulnerability Scoring System (CVSS) rating of 2.8, or "low." 

The company justified the low score, claiming an attacker would first need to be authenticated on a system, and even then, the complexity of the attack makes it difficult to execute. 

The more concerning attack (CVE-2020-0549), nicknamed L1DES (for L1 data eviction sampling), has a severity score of 6.5, which falls into the "medium" threat category. This flaw is more dangerous because it's not as complex and it's easier for an attacker to target specific data. That said, the vulnerability doesn't work on Intel's newer chips (only those before 2018) and it can't be done over a web browser. 

Intel is "not aware" of any attempts to exploit these vulnerabilities outside of a lab. 

A bad look for Intel

It's been 18 months since Intel was first notified by security researchers of these flaws. Now the company is being criticized by those very researchers for its slow, piecemeal approach. 

"We reiterate that RIDL-class vulnerabilities are non-trivial to fix or mitigate, and current “spot” mitigation strategies for resolving these issues are questionable," the team of researchers wrote on its website

"Moreover, we question the effectiveness of yearlong disclosure processes and also raise concerns on their disruptive impact on the academic process," they added. "We continue to work with Intel to improve their coordinated disclosure process and collaboration with academia."