Intel announces a third patch for ZombieLoad vulnerability
Intel has released yet another patch to fix the scary ZombieLoad vulnerability, the company announced yesterday.
This third patch promises to address a processor issue revealed last May with the codename ZombieLoad, or TSX Asynchronous Abort (TAA).
Though ZombieLoad was officially disclosed last year, Intel may have been made aware of the issue by independent researchers as early as June 2018, according to Wired.
The flaw – which Intel refers to as “microarchitectural data sampling” – essentially leaves sensitive user data open for hackers to grab.
Though this isn’t Intel’s first (or second) ZombieLoad patch, this latest fix aims to block two methods an attacker could use to access personal data: Vector Register Sampling and L1D Eviction Sampling.
The former is rated as a ‘low’ risk issue, while the latter is ranked ‘medium’.
Related: Best laptop
“CVE-2020-0548 is an information disclosure vulnerability with a CVSS score of 2.8, low, referred to as Vector Register Sampling. This issue is rated “low” as the user would first need to be authenticated on the target system, the high complexity of an attack, and low confidence in the attacker’s ability to target and retrieve relevant data”, explains Intel in a security blog post.
“CVE-2020-0549 is also an information disclosure vulnerability requiring authenticated local access. The CVSS score is 6.5, medium. Referred to as L1D Eviction Sampling, the severity score is higher on this one because the attack complexity is lower and the ability to target specific data higher. This vulnerability has little to no impact in virtual environments that have applied L1 Terminal Fault mitigations”.
Related: Best VPN
ZombieLoad affects chips built in 2011 all the way up to Intel’s latest high-end processors, leaving almost a decade customers anxious to install a fix.
The patch will be available to download through the Intel Platform Update (IPU) in the near future, says Intel.