Intel has announced a recently found set of vulnerabilities that affect select Intel processors. These vulnerabilities can lead to data leakage via allowing malicious code to read otherwise protected parts of the system memory.
Like previous vulnerabilities (Meltdown and Spectre), these exploit speculative processing and provide a side channel for malicious code to access recently used data that may have been used by many different applications and system resources, including virtual machines and the kernel. As with previous vulnerabilities affecting Intel processors the resolution is a combination of software mitigation and hardware changes, the latter of which may not be viable for some. So be aware that while software may receive patches to mitigate, if you have hardware that falls within the affected generations the only full solution is with firmware from the manufacturer (if applicable) or with a replacement of the hardware by an unaffected hardware generation.
In case you are worried about potential data leaks, the original researchers that found the CVE code-named “ZombieLoad” note that you can mitigate this exploit by disabling Intel Hyper-Threading on your affected device. While Intel cautions that if you run trusted software this is unlikely to be necessary and they do not recommend it, it is really up to you to decide if the performance loss is worth the peace of mind.
If you are wondering if your processor may be affected, check the following Intel postings to help define the affected platforms and mitigation capabilities.
Those wanting to hit the ground running now with mitigation, check your operating system for updates. Microsoft and the Linux community have already released mitigation patches that help to address the problem. If you utilize Windows, check the security advisory ADV190013 for details on how to obtain patches for your particular operating system version and more information about how it affects Windows. For those of us in the Linux world, look to your distribution maintainers for details on patches that mitigate the vulnerabilities for that distribution. Likewise, if you have an x86 Intel based Chromebook; Google has released Chrome OS 74 to address this, of which the primary mitigation is that Hyper-Threading is forcibly disabled. You can read further about the ChromeOS 74 patch here.
There are a plethora of resources out now to help define the issues and the CVEs that have been created for these vulnerabilities, but we’d like to point out that Redhat has done a great job at explaining the CVEs and they provide links to resources with additional information. You can find the Redhat MDS posting here.
If you are interested in learning more about these vulnerabilities, the CPU.fail site, maintained by the Graz University of Technology, has short definitions and links to additional information on each vulnerability code name.