The bugs just don’t stop. It’s been a bad week for security, beginning with hardware and software vulnerabilities affecting potentially “tens of millions” of Cisco enterprise routers, switches, and firewalls, as well as a ransomware attack on Git repositories. And it continued with another Meltdown-like flaw in Intel processors called ZombieLoad and other critical vulnerabilities in Microsoft Windows operating systems.
Like the earlier Meltdown, Spectre, and Foreshadow processor flaws, the newly discovered ZombieLoad (or, as Intel calls it Microarchitectural Data Sampling) is a side channel attack that allows hackers to steal sensitive data and keys. It allows virtual machines (VMs) to access information from other VMs that they don’t have permission to access. ZombieLoad affects any operating systems running on x86 chips including cloud servers.
A team of academics at Graz University of Technology and KU Leaven and threat researchers from Bitdefender discovered ZombieLoad, and while no attacks have been publicly reported, they say they don’t know if the bug has been abused in the wild.
Intel has already issued patches for the several affected processor families released since 2011, and other companies including Microsoft, Apple, Google, and Amazon have updated their products as well.
But, as Apple warns, servers could take a performance hit by mitigating ZombieLoad because it may require customers to disable Intel’s hyper-threading processing feature. Apple said it found “as much as a 40% reduction in performance with tests that include multithreaded workloads and public benchmarks.”
Meanwhile, Microsoft issued a slew of patches to fix 79 vulnerabilities on Tuesday, 19 of which it said are critical. In addition to ZombieLoad, this included CVE-2019-0725, which is a flaw in Windows Server’s DHCP server that could allow a hacker to remotely target the system.
It also patched CVE-2019-0708, a “wormable” vulnerability that Microsoft likened to the WannaCry malware that spread across the globe in 2017. This bug allows an unauthenticated attacker to send specially crafted packets to Windows Server’s Remote Desktop Services system to run code on it. And it’s so serious that Microsoft issued updates for its older operating systems Windows 2003 and XP that it usually doesn’t patch.
“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” Microsoft said in a blog post.