Intel has revealed a vulnerability in its chips that could lead them to leak data to attackers, underlining the risks from a new flaw in modern chip designs that first surfaced last year.
Security researchers warned that the flaw could pose a particular risk to information being processed in cloud data centres, which many large businesses and governments rely on to handle part of their computing needs.
Known as ZombieLoad, the problem exists in all Intel chips made since 2011, though the chipmaker said its latest microprocessors had been fixed at the hardware level to prevent the problem. Older chips will need an update to their microcode, along with updates to the operating systems running on them.
Intel said on Tuesday that exploiting the flaw would be “extremely complex relative to other methods that attackers have at their disposal,” and that there have been no reports of attackers using the vulnerability to steal data.
The flaw is "hard to exploit – but it's also hard to fix," said Ben Johnson, chief technology officer at Obsidian Security. "It's the underpinnings of our hardware – which is the underpinnings of our clouds, our desktop computers."
News of the ZombieLoad problem follows the disclosure early last year of two pervasive chip vulnerabilities known as Spectre and Meltdown, which were the first-known examples of a new type of design flaw in chips that could open them to attack.
The problem stems from a process known as speculative execution, whereby chips carry out actions on data before being called on by the application in the hopes of anticipating the instructions they will receive next.
The technique plays a central role in speeding up all modern computer chips. But it also potentially opens them up to attack if the data is pushed into a different part of the hardware system where it could be accessed by attackers.
Fixing the ZombieLoad problem could slow down some computer systems considerably if it limits how many different “threads” they can process at the same time.
Apple, one of several companies to put out a software update on Tuesday, said the fix "may reduce performance by up to 40 per cent". However, warnings that computer performance would suffer because of the fixes to Spectre and Meltdown last year were not followed by widespread reports of problems.
The ZombieLoad flaw is most likely to be exploited in situations where computers run multiple tasks at the same time, because data leaked from one application could be picked up by another, researchers said. That is particularly true in cloud data centres, where applications for different customers run on the same computer, taking advantage of a technique called virtualisation.
The data leaked by speculative execution flaws is unlikely to be of use except to the most determined attackers, said Mr Johnson. An attacker would have to penetrate the hardware and then sift large amounts of random information in search of anything useful. He added, though, that stray pieces of valuable data, like computer encryption keys, could be picked up this way. – Copyright The Financial Times Limited 2019