Intel chip flaw allowed hackers to watch you browse the web

By Chris Burns/May 14, 2019 2:54 pm EST

There's a flaw in the vast majority of Intel chips from here back to the year 2011 called ZombieLoad. That's what security researchers are calling it, anyway. The name refers to data a processor cannot handle, a "zombie load" which can be exploited thanks to a code vulnerability in Intel hardware.

In the proof of concept video you'll see below, Intel chips allowed the attack to take place. This ZombieLoad business is similar to security nightmares Meltdown and Spectre – though not exactly on the same level with regard to difficulty. Affected systems include Windows, Android, Chrome, iOS, Linux, and MacOS.

ZombieLoad vulnerabilities were logged by Microsoft as:

• CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS) 

• CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS)

• CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS)

• CVE-2018-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

Desktop computers, laptops, and virtual machines are all vulnerable to ZombieLoad – or at least they were before they were patched. Which is good, since this vulnerability exploit has the potential to leave no trace. The patch is out now, for Intel machines of all sorts.

This includes all Intel Atom and Knight processors. It also includes Intel Xeon, Intel Broadwell, Haswell, Sandy Bridge, and Skylake hardware. Intel's many lakes are affected as well – that includes Coffee Lake, Whiskey Lake, Kaby Lake, and Cascade Lake chips.

Microsoft released a patch for all Windows machines they've been able to work with. Microsoft security update released this week gives guidance on network computers and odd machines.

Apple released a patch that includes macOS Mojave 10.14.5. This patch was released on Monday of this week. Google patched Android and Chrome, and all Google datacenters were patched by the time this article was released.

In general you should head to your device's Settings, and to Software Update, and make sure to hit the download button. This isn't the sort of security issue that you'll likely be the victim of as a private citizen – but you never know!