Skip to main content

ZombieLoad is Meltdown resurrected. Here’s how to secure your PC right now

HP Spectre 13 2017 Review
Mark Coppock/Digital Trends

Less than a year and a half since Intel had its first public meltdown after finding the highly publicized Meltdown and Spectre security flaws, researchers have discovered a new security vulnerability called Microarchitectural Data Sampling (MDS) — which leaves computers dating back to 2008 vulnerable to eavesdropping attacks.

Fortunately, Intel learned its lesson from the first Meltdown discovery, and it finds itself better prepared to address the recently published security flaw that, if unpatched, could leave computers — ranging from laptops to cloud-based servers — exposed to eavesdropping by an attacker.

Back from the grave

A series of updates were recently deployed to address the newly uncovered security flaw. Whether you’re on a Windows PC or a Mac, you should stay up to date with your security patches to mitigate the risk of attack. Business customers operating their infrastructure from the cloud should check with their service providers to ensure that that latest available security patches will be applied as soon as possible.

MDS was discovered by a wide range of researchers from security firms like Bitdefender, Cyberus, Oracle, and Qihoo360 as well as academic institutions like the University of Michigan, Vrije Universiteit Amsterdam, KU Leuven in Belgium, Austria’s TU Graz, University of Adelaide, Worcester Polytechnic Institute, and Germany’s Saarland University. Researchers have discovered four distinct ways of carrying out MDS attacks, and though some of the attacks were discovered more than a year ago, Intel had asked that the researchers to keep their findings private until a patch was available.

“Academics have discovered four such MDS attacks, targeting store buffers, load buffers, line fill buffers (aka the Zombieload attack), and uncacheable memory — with Zombieload being the most dangerous of all because it can retrieve more information than the others,” ZDNet reported. Some of the attacks, researchers cautioned, could even require hardware changes to the chips to mitigate. Intel claims that some of its chips released within the last month already ship with a fix.

While MDS works in a similar way to Meltdown and Spectre by relying on Intel’s use of speculative execution to boost CPU performance by allowing the processor to guess what data will be required for execution in advance, attackers are able to eavesdrop when data is moving between various components of a processor. In previous attacks, sensitive data was accessed from memory, but in the case of MDS, the data can be accessed from the cache. Anything that passes through the processor, from the website you’ve visited to your password and credit card data, could be accessed through MDS. Hackers can even leverage MDS to extract the decryption keys to an encrypted drive.

Fixing Intel’s chipocalypse

Gregory Bryant, Intel senior vice president in the Client Computing Group, displays a “Lakefield” reference board during Intel Corporation’s news event at CES 2019 on Jan. 7, 2019, in Las Vegas.
Walden Kirsch/Intel Corporation

Intel has readied a fix for MDS, but the patch will need to be deployed through different operating systems. For now, Apple claims that a recent update to its MacOS Mojave operating system and Safari desktop browser already included the fix, so Mac users should download the latest updates if they haven’t already done so. Google also claimed that its recent products already contains a fix, while Microsoft issued a prepared statement stating that a fix will be ready later today. Windows 10 users are advised to download this patch.

“We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips,” Microsoft said.

Amazon Web Services have also deployed fixes. “AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS,” AWS said in a statement. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level. Updated kernels and microcode packages for Amazon Linux AMI 2018.03 and Amazon Linux 2 are available in the respective repositories (ALAS-2019-1205).”

Though chips released starting last month already contained a hardware level fix, Intel claims that microcode updates are enough. “For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today,” the chipmaker said in a statement.

Security researchers from TU Graz and VUSec disagreed with Intel’s conclusion and advised that hyperthreading be disabled, as this process could make it easier for attackers to carry out MDS attacks. In an interview with Wired, Intel downplayed the flaw rating the four vulnerabilities at a low to medium severity, and the company claimed that disabling hyperthreading is not necessary. Intel claims that a lot of noise is also leaked, and it would be very difficult for an attacker to infer your secret data.

At this point, AMD and ARM silicon are not affected by the vulnerability. If your system is running an Intel chip, be sure to apply the latest software patches and check for any new system updates in the coming days.

Editors' Recommendations

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
I’m building a new PC — here’s how I chose the components for it
The Hyte Y40 PC case sitting on a table.

Building a new PC is an exciting time for a gaming enthusiast -- even more so when it's been a long time and you've been working with outdated hardware. However, it can also be a pretty intimidating process if you're new to it, and as your gaming experience will be affected by these choices for the years to come, it can be hard to choose which parts to buy.

Having gone through this process myself, I've made all these choices very recently. Below, I'll show you what's worth thinking about when you build your own PC, and why I ultimately picked the components that I did.
Budget and use case

Read more
Chrome has a security problem — here’s how Google is fixing it
Google Chrome icon in mac dock.

Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.

The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.

Read more
AI can now steal your passwords with almost 100% accuracy — here’s how
A digital depiction of a laptop being hacked by a hacker.

Researchers at Cornell University have discovered a new way for AI tools to steal your data -- keystrokes. A new research paper details an AI-driven attack that can steal passwords with up to 95% accuracy by listening to what you type on your keyboard.

The researchers accomplished this by training an AI model on the sound of keystrokes and deploying it on a nearby phone. The integrated microphone listened for keystrokes on a MacBook Pro and was able to reproduce them with 95% accuracy -- the highest accuracy the researchers have seen without the use of a large language model.

Read more