I had a monster session of updating stuff yesterday. This is why…:
A new family of speculative execution side-channel vulnerabilities has been found in Intel CPUs and researchers and vendors are split over how severe the flaws are and how easy they are to exploit.
Even the name of the vuln family is a subject of disagreement among researchers, ranging from colorful to prosaic: ZombieLoad, Fallout, RIDL (Rogue In-Flight Data Load), YAM (Yet Another Meltdown), and Intel’s name for the family of flaws, MDS (Microarchitectural Data Sampling).
Researchers from security firms Cyberus, BitDefender, Qihoo360, and Oracle, along with academic researchers from TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven, Worcester Polytechnic Institute, and Saarland University, discovered the flaws and came up with the related exploits. All of the researchers were exploring the same conceptual issues – side-channel vulnerabilities – but found the new family in a different area of the CPU than where the previously identified side-channel vulns, Spectre and Meltdown, operate.
The researchers followed responsible disclosure practices and held on publicly releasing their work – some for as much as a year – while Intel developed firmware to remediate the issues.