Last minute geek

last minute tech news from around the net

Sunday, Aug 18th

Last update12:03:00 AM

You are here: English BoingBoing ibag A year after Meltdown and Spectre, security researchers are still announcing new serious risks from low-level chip operations

A year after Meltdown and Spectre, security researchers are still announcing new serious risks from low-level chip operations

User Rating: / 0
Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together. Spectre and Meltdown represented a new class of never-seen-before attacks, and as news of their existence percolated through security circles, it sparked a scavenger hunt for more errors of their sort, with many more coming to light. Intel calls these "Microarchitectural Data Sampling" (MDS) attacks, and now a team of industry and academic researchers (some of whom worked on the original Spectre/Meltdown papers) have gone public with a new set of MDS bugs that Intel was given advance notice of (some of these bugs were discovered more than a year ago). All but the most recent Intel chips are vulnerable to these attacks (you can check your system here). The researchers have dubbed the new defects CPU Fail, and they have disclosed three CPU Fail attacks: Zombieload, RIDL, and Fallout, which they class as "less serious than Meltdown but worse than Spectre." The specifics vary for each defect, but the most significant fact about them is that they can force CPUs to reveal data that's private to another process running on the same system. That means that an attacker can run code on a cloud computer that gives them access to other virtual machines running on the same hardware -- or they can run Javascript in your browser window and steel secrets from your password manager. Read the rest

Read all
Comment Policy:
We pre-moderate any comments and welcome all kinds of thoughts, supportive, dissenting, critical or otherwise. We delete or censor comments that are:

* abusive
* off-topic
* contain personal attacks, or against any company or organization
* promote hate of any kind
* use excessively foul language
* is blatantly spam or advertising

We do not discriminate based on the person who is posting, and we never censor comments for political or ideological reasons. We never delete an appropriate comment because we disagree with its viewpoint or ideology, and we never publish an inappropriate comment because we agree with or support its viewpoint or ideology.

Attention spammers: we manually approve all comments. Spamming and blatant advertising will NOT be published on this site and is deleted immediately, you've been warned, do not waste your time here.

Add comment

Security code