It's that time again, there's another set of security vulnerabilities in Intel processors going back to 2011. Called ZombieLoad, this involves four bugs that can be used to steal sensitive information directly from the processor via a side-channel attack.
Just like with Meltdown and Spectre, these vulnerabilities are primarily a concern for cloud environments, where virtual machines from different customers run on the same machine.
ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.
Intel distributed a microcode update but unfortunately this patch results in yet another performance drop. While Intel claims the update is unlikely to have a noticeable impact in most scenarios, the firm does acknowledge it can lead to a 3 percent performance hit on consumer devices, and an up to 9 percent performance hit for datacenter applications.
There's also some disagreement between Intel and security researchers from TU Graz and VUSec about the severity of the flaw. The latter recommend the disabling of Hyper-Threading to protect against possible attacks.