【英特尔芯片漏洞泄露敏感数据,各大科技公司发布新补丁修补缺陷】

【英特尔芯片漏洞泄露敏感数据,各大科技公司发布新补丁修补缺陷】安全研究人员发现了英特尔芯片的漏洞,如果被利用,可以直接从处理器窃取敏感信息,包括机密(如密码、密钥和帐户令牌) 以及私人消息。几乎所有拥有英特尔芯片的计算机都受到这些漏洞的影响。苹果、亚马逊、谷歌、微软和Mozill发布了针对ZombieLoad芯片缺陷的补丁,来修补新披露的安全缺陷。

New secret-spilling flaw affects almost every Intel chip since 2011

Zack Whittaker@zackwhittaker

Security researchers have found a new class of vulnerabilities in Intel  chips which, if exploited, can be used to steal sensitive information directly from the processor.,

The bugs are reminiscent of Meltdown and Spectre, which exploited a weakness in speculative execution, an important part of how modern processors work. Speculative execution helps processors predict to a certain degree what an application or operating system might need next and in the near-future, making the app run faster and more efficient. The processor will execute its predictions if they’re needed, or discard them if they’re not.

Both Meltdown  and Spectre leaked sensitive data stored briefly in the processor, including secrets — such as passwords, secret keys and account tokens, and private messages.

Now some of the same researchers are back with an entirely new round of data-leaking bugs.

“ZombieLoad,” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker just a month ago.

Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.

ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.

Practically, the researchers showed in a proof-of-concept video that the flaws could be exploited to see which websites a person is visiting in real-time, but could be easily repurposed to grab passwords or access tokens used to log into a victim’s online accounts.

 

Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.

Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware.

Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.

What does this mean for the average user? There’s no need to panic, for one.

These are far from drive-by exploits where an attacker can take over your computer in an instant. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack.

But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said.

There are far easier ways to hack into a computer and steal data. But the focus of the research into speculative execution and side channel attacks remains in its infancy. As more findings come to light, the data-stealing attacks have the potential to become easier to exploit and more streamlined.

But as with any vulnerability where patches are available, install them.

Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips. Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are also affected, as well as all Atom and Knights processors.

But other tech giants, like consumer PC and device manufacturers, are also issuing patches as a first line of defense against possible attacks.

Computer makers Apple  and Microsoft and browser makers Google have released patches, with other companies expected to follow.

In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios.

And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user.

But with patches rolling out today, there’s no reason to pass on a chance to prevent such an attack in any eventuality.

Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws

Big tech is stepping in to patch newly disclosed security flaws affecting almost every Intel  chip since 2011.

Researchers on Tuesday released details of the vulnerability, known as ZombieLoad — or microarchitectural data sampling (MDS) as its technical name — which can leak sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.

You can read our coverage here. In short, don’t panic — but you should patch your systems. Here’s how.

Apple released macOS fixes

Apple has fixes out for every Mac and MacBook released during and after 2011.

The tech giant said in an advisory that any system running macOS Mojave 10.14.5, released Monday, is patched. This will prevent an attack from being run through Safari and other apps. Most users won’t experience any decline in performance. But some Macs could face up to a 40% performance hit for those who opt-in to the full set of mitigations.

The security update will also be pushed to Sierra and High Sierra versions. iPhones, iPads and Apple Watch devices aren’t affected by the bugs.

Google patches Android, will update Chrome

The search and browser maker also confirmed it has released patches to mitigate against ZombieLoad.

Google said the “vast majority” of Android devices aren’t affected but Intel-only devices will need to be patched once device makers make updates available.

Chrome OS devices, such as Chromebooks, are already protected in the latest version, and permanent mitigations will be pushed to devices in the next version.

And, the company’s Chrome team has a technical advisory out, but said users should rely on patches for their computer. “Operating system vendors may release updates to improve isolation, so users should ensure they install any updates and follow any additional guidance from their operating system vendor,” said Google. In other words, make sure your Windows PC or your Mac is patched.

Google also rolled out patches to its data centers, so cloud customers are already patched, but should be aware of the company’s guidance.

Mozilla plans long-term Firefox fix

Firefox browser maker Mozilla  said it’s got a long-term fix on the way.

“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”

“Firefox Beta and Firefox Nightly already include the change,” the spokesperson said, adding that no action was recommended for browsers on Windows and Linux.

Microsoft rolls out Windows updates

Microsoft has released patches for its operating system and cloud.

Jeff Jones, a senior director at Microsoft, said the software and cloud giant has been “working closely with affected chip manufacturers to develop and test mitigations” for its customers. “We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips,” he said.

In a TechNet article, the company said customers may need to obtain directly from their device maker microcode updates for their processor. Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.

Software updates will be released Tuesday also through Windows Update. Microsoft also has a page with guidance for how to protect against the new attacks.

Microsoft Azure customers are already protected, the company said.

Amazon patches AWS

A spokesperson for Amazon has confirmed its cloud service Amazon Web Services has been updated to prevent attacks.

“AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS,” said an advisory posted on Amazon’s website. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.”

Updated article and headline to include remarks from Amazon and Mozilla.

原文链接:

https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/


Comments are closed.



无觅相关文章插件