Intel is in the security doo-doo again with a new major vulnerability known as ZombieLoad, something that affects virtually every processor Intel has made and sold since 2011. The problem? Intel didn't really care, and seemed to have even bribed people with a $40,000 "reward" with a bonus payment of $80,000 which were both refused.
A post on Reddit in /r/hardware by 'EverythingisNorminal' said that a Google translation of a Dutch report about VU University Amsterdam's announcement of this latest (among many) of Intel security leaks is worse than we think. Before we get into ZombieLoad, this is what the Reddit post reads: "According to the VU, Intel tried to downplay the severity of the leak by officially paying $40,000 in reward and "$80,000" in addition. That offer was politely refused".
The report added: "If it were up to Intel, they would have wanted to wait another six months". This right here is awful if true.
ZombieLoad is a side-channel attack that targets Intel CPUs and allows hackers to exploit design flaws versus injecting malicious code, but ARM and AMD processors are not vulnerable. The problem with ZombieLoad is something that made the Meltdown and Spectre vulnerabilities bad, in that they don't just affect CPUs in servers, laptops and desktops -- but also the cloud.
The new ZombieLoad vulnerability can be exploited in virtual machines, something that VMs were not meant to be affected by. The issues that stem from this is that ZombieLoad allows hackers to access the information through the Intel CPU through the VM, just like the VM wasn't even there in the first place. The world of a virtual machine is meant to be safe from exploits like ZombieLand, Spectre, and Meltdown.
All it'll take for people to be infected is to download a ZombieLoad-infected app or malware, and then hackers can run the attack on the machine. One of the researchers behind the discovery of ZombieLoad, Daniel Gruss, explained that the new vulnerability is "easier than Spectre" but "more difficult than Meltdown" to exploit -- referring to the skills and effort required to complete an attack.
There are patches by tech giants released already for ZombieLand, with Apple, Amazon, Google, Microsoft and Mozilla all releasing patches to fix the holes created by ZombieLoad. Apple has released macOS fixes for ZombieLoad, and will soon be pushed to Sierra and High Sierra versions while the iOS-based devices aren't affected.
Google has patched Android and will soon update Chrome to secure it from ZombieLoad, while Mozilla has plans for a "long-term fix" for its popular browser Firefox. Microsoft is pushing out updates to Windows and the cloud, as well as "working closely with affected chip manufacturers to develop and test mitigations" for its customers.
Meanwhile Amazon has patched its cloud service Amazon Web Services so that it can't be attacked.
AMD explained in a post: "At AMD we develop our products and services with security in mind. Based on our analysis and discussions with the researchers, we believe our products are not susceptible to 'Fallout', 'RIDL' or 'ZombieLoad Attack' because of the hardware protection checks in our architecture. We have not been able to demonstrate these exploits on AMD products and are unaware of others having done so".