Apple Patches ZombieLoad Vulnerabilities

Alfred Osborne
May 18, 2019

Like the Spectre and Meltdown vulnerabilities first disclosed in early 2018, the new batch takes advantage of side-channel vulnerabilities in the way Intel processors attempt to predict the next instruction they will have to execute. This load can contain sensitive data from apps and programs, and the flaw allows this information to be accessed.

Major tech companies Google, Apple, Amazon and Microsoft all released advisories Tuesday to instruct users of their devices and software, many of which rely on Intel hardware, on how to mitigate the vulnerabilities.

While the researchers are unable to confirm whether the vulnerability has been exploited by hackers, they add that it affects all Intel-made processors since 2011. While some of the vulnerabilities exploited by Spectre and Meltdown affected processors from AMD and Arm, the majority targeted flaws in Intel's processors - and were followed by mitigation patches which sapped performance and outright crashed systems.

Although no attacks exploiting the ZombieLoad bugs have been publicly reported, the researchers could not rule them out, because they say an attack would not necessarily leave a trace.

"This flaw is particularly unsafe for Intel-based public clouds running untrusted workloads in shared-tenancy environments, "Red Hat warns in a security alert".

As explained by TechCrunch's Zack Whittaker, ZombieLoad allows hackers to "exploit design flaws, rather than inject malicious code". "These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys". While Intel eventually rolled out stable fixes, though still with measurable performance impacts in many cases, it has since been fighting a string of similar vulnerabilities including Spectre Next Generation, Spectre 4, Spectre 1.1 and 1.2, SpectreRSB, NetSpectre, and more.

High winds force SpaceX to postpone first launch of Starlink satellites
An illustration of Starlink, a fleet or constellation of internet-providing satellites designed by SpaceX. EDT Wednesday (0230 GMT Thursday) from Cape Canaveral's Complicated 40 launch pad.

Dutch and British intel experts agree: Trump's right about Huawei
Customers using Huawei's mobile handsets could also face disruptions in their operating software , industry observers said. Members of Congress and administration officials said the move will make it hard for Huawei to sell many products.

Taiwan approves same-sex marriage in first for Asia
The DPP's bill will recognise unions as marriages, the same as heterosexual couples, and define partners as spouses. President Tsai Ing-wen is expected to sign the bill before a court deadline to legalize same-sex marriage.

"ZombieLoad is a novel category of side-channel attacks which we refer to as data-sampling attack", the researchers say in a Tuesday blog post.

The new vulnerability, called ZombieLoad, works on the same principle as the ones we've seen previous year.

The chip giant said that all future Intel processors will include hardware mitigations addressing these vulnerabilities.

Store buffer attack (aka Fallout): Targeting temporary buffers that hold store addresses and data.

Security researchers have revealed the Zombieload Attack to the public. Intel also faced questions from lawmakers about why it did not disclose the vulnerability to USA cybersecurity officials before it was made public.

Other reports by

Discuss This Article