Since the discovery of the critically acclaimed Spectre and Meltdown, four distinctive security exploits: ZombieLoad, Fallout, RIDL, and Store-to-Leak Forwarding, have been discovered and exploited with the newest being ZombieLoad. The official name for all these attacks is called Microarchitectural Data Sampling. Today’s blog will mostly cover what the ZombieLoad attack is, how it works, and how to protect your devices against Zombieload.
This weeks decipher:
Microarchitectural Data Sampling – A bug that exploits critical vulnerabilities found in Intel processors that allows attackers to steal sensitive data and keys directly from your processor.
ZombieLoad – an attack that resurrects your private browsing-history and other sensitive data and allows the leaking of information from other applications, operating system, virtual machines in the cloud and trusted execution environments.
RIDL – an attack that allows leaking of information across various security domains from different buffers, such as line-fill buffers and load ports, inside Intel processors. It demonstrates attacks on other applications, the operating system, other virtual machines and trusted execution environments.
Fallout – an attack that allows the reading of data an operating system recently wrote and to figure out the memory position of the operating system strengthening other attacks.
Store-To-Leak Forwarding – an attack that exploits CPU optimizations introduced by the store buffer to break address randomization, monitor the operating system or to leak data when combined with Spectre gadgets.
Speculative execution – a feature found in Intel Processors that is used to help the processor predict what a program needs next to improve performance.
It affects every Intel processor made since 2011. These processors can be found in all MacBooks, large number of Windows PCs, most Linux servers, many Chromebooks, and even virtual machines in the cloud. Some exceptions are AMD and ARM processors, which are not yet affected by the ZombieLoad Attack.
How does the ZombieLoad attack work?
Weaknesses in speculative execution, which is widely used, is exploited to steal data from the processor. The exploit occurs when the processor speculates what request for operation is needed in the next few milliseconds. To save processing time, the processor then executes those speculated operations. This is the weakness exploited.
By executing the speculated operations before they are actually needed, the results or data of these operations are stored into the CPU’s short-term memory caches. The ZombieLoad attack allows attackers to read those results and steal the data directly from the CPU’s short-term memory caches.
The results of those data can be used to view:
- What websites a person is viewing in real time
- Browser history
- Website content
- User keys
- User passwords
- Disk encryption keys
You can see a clip of it in action on ZombieLoadAttack.com, also linked in the sources below.
Protecting your devices from the ZombieLoad attack
Because this occurs within the short-term memory cache of the CPU, this attack is not easily detectable. Both antivirus software and internet security suites cannot scan for the vulnerability and mitigate the risks. Basically, if you purchased an Intel CPU or a computer with an Intel CPU manufactured from 2011 onward, you are vulnerable.
However, there are fixes in place that have been deployed all over Windows PCs,
Android devices, Macs, Linux, and Chromebooks. For more information visit the
Techradar’s article by Matt Hanson on “How to protect your devices against the ZombieLoad attack”
in the link below.
Conclusion
Sometimes cyber attacks on system vulnerabilities aren’t as apparent. The Spectre and Meltdown attacks have made us aware and prompt us to discover new security exploits. Knowing these exploits helps cybersecurity analysts and technology
Sources:
tom’s guide – ZombieLoad Attacks May Affect All Intel CPUs Since 2011: What to Do Now
ZombieLoad Attack
CPU.fail
Techradar – How to protect your devices against the ZombieLoad attack
unic0de Deciphers 