Latest in Security

Image credit: Anadolu Agency via Getty Images

Intel is patching its Zombieload CPU security flaw for the third time

Security researchers say the company needs to change its approach.
431 Shares
Share
Tweet
Share

Sponsored Links

Anadolu Agency via Getty Images

For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the speculative functionality of its processors. On Monday, the company said it will issue a software update "in the coming weeks" that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws. This latest update comes after the company released two separate patches in May and November of last year.

Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn't work on Intel's more recent chips. Moreover, a hacker can't execute the attack using a web browser. Intel also says it's "not aware" of anyone taking advantage of the flaws outside of the lab.

However, like when the company issued its second MDS patch in November, security researchers are criticizing Intel for its piecemeal approach. "We spent months trying to convince Intel that leaks from L1D evictions were possible and needed to be addressed," the international team of computer scientists that discovered the flaw wrote on their website. In an addendum to their original paper, there's a sense of exasperation with the company. "We reiterate that RIDL-class vulnerabilities are non-trivial to fix or mitigate, and current 'spot' mitigation strategies for resolving these issues are questionable," the researchers write. "Moreover, we question the effectiveness of yearlong disclosure processes and also raise concerns on their disruptive impact on the academic process."

Intel downplayed the criticism, saying that it has taken significant steps to reduce the danger the flaws represent to its processors. "Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues," a spokesperson for the company said. "We continue to conduct research in this area – internally, and in conjunction with the external research community."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
431 Shares
Share
Tweet
Share

Popular on Engadget

BMW's teases its iNext prototype EV during a hot-weather test

BMW's teases its iNext prototype EV during a hot-weather test

View
Senate approves $1 billion budget to help rural carriers replace Huawei gear

Senate approves $1 billion budget to help rural carriers replace Huawei gear

View
Citroën's new EV is a tiny two-seater that only costs $22 a month

Citroën's new EV is a tiny two-seater that only costs $22 a month

View
Clearview AI leak names businesses using its facial recognition database

Clearview AI leak names businesses using its facial recognition database

View
Apple's keyboard cover for the next iPad Pro could add a trackpad

Apple's keyboard cover for the next iPad Pro could add a trackpad

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr