Cyber security researchers have discovered a class of vulnerabilities in Intel chips that could be exploited to steal sensitive information, unencrypt data and spy on tasks handled by the processor.
The bugs, dubbed ‘ZombieLoad’, affect almost every computer that uses an Intel chip released since 2011.
What does ZombieLoad do?
ZombieLoad is a side-channel attack that enables criminals to exploit design flaws, rather than inject malicious code. In a proof-of-concept video, the researchers showed that the bugs could be exploited to see in real time which websites a person visits, but the same technique could be used to steal passwords or access users’ login credentials.
If exploited, ZombieLoad could affect “user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys” the researchers said.
As with Meltdown and Spectre, two similar vulnerabilities that were discovered last year, ZombieLoad affects the Cloud as well as PCs. Amazon Web Services, Microsoft Azure and Google Cloud are among the major Cloud computing platforms that use Intel and are all therefore vulnerable to an attack.
Are you at risk?
It’s not yet clear how big of a risk ZombieLoad is, which is promising from an information security perspective – at least if you believe the adage that ‘no news is good news’. The researchers said there were no confirmed incidents of ZombieLoad being exploited but conceded that they were unsure whether such an attack would leave a trace.
Thankfully, Intel has already released a patch for vulnerable processors, and tech giants Apple, Microsoft and Google have all released their own updates.
As with all cases like this, patches only work if they are installed. This should have happened automatically, but the security–conscious might want to confirm that their devices are secure.
In an organisational context, the IT department will be responsible for updates. When it comes to patching personal devices, you can follow the instructions on Intel’s website.