[ad_1]
Intel disclosed a new secret-leaking chip security flaw called Zombieload this week, which uses an attack similar to the one used in the Meltdown and Spectrum exploits that were disclosed last year.
While Intel classified the threat as "medium," security researchers have said Zombieload is far more serious. The vulnerability affects almost every Intel computer chip since 2011 and highlights how hackers could become successful in Intel's computer chips.
"On a scale of 1 to 10, this is '10' serious," says Robert Siciliano, CEO of Safr.me.
The Zombieload attack takes advantage of a design flaw in most Intel chips, allowing hackers to grab any data that has been accessed by the processor. The attacker is a reference to "zombie load," which is a computer processor.
The bug is discovered by the same researchers at the Netherlands' University and Graz University of Technology who found the Meltdown and Spectrum vulnerabilities last year, which affected by Intel, AMD, and others. These bugs leaked personal information that was stored on computer processors. They took advantage of speculative execution, a process that helps modern processors anticipate what an app or operating system might need next, in order to run Most efficiently.
"Hardware flaws by their nature are very serious," says Siciliano. While Zombieload should not be downplayed, he adds, it's unlikely to be used in the wild.
"This particular one would require the hackers to have perfect conditions in order to exploit it," Siciliano says. Microsoft, Apple, and Google have released patches. However, since it's a hardware exploit, he adds, the problem will never be completely eliminated.
Zombieload has also pointed out that they are responsible for the prevention of PR nightmare. The researchers shared their views with Intel Intel may not disclose the bug in May, according to an interview with NRC's Dutch outlet.
The flaw was rated at 6.5 on a 10 point scale by Intel, putting it on a "medium" threat level, an assessment that left the researchers concerned the chipmaker was downplaying the severity of the flaw, perhaps to attract less attention for paying a big bug bounty. Intel's bug bounty program pays $ 100,000 for the most severe threats. At a medium level, Intel's bug bounty program guidelines, suggest a payment of $ 5,000.
The researchers say they were offered a $ 40,000 bounty and an $ 80,000 gift, which they turned down. When asked for comment, Intel referred Fortune back to its bug bounty program requirements, eligibility, and award schedule.
Casey Ellis, founder and chief technology officer at Bugcrowd, said that it is a platform that connects companies with ethical hackers, says Meltdown, Specter, and Zombieload have placed Intel in the difficult position of figuring out the best way to respond to hardware-related security threats.
"In this case, we are talking about issues that are being addressed in silicon chips that are in laptops and mobile phones," he says. "The ability to get rid of this problem is understandably more complicated."
Typically, after a security researcher they have found a bug, it is usually in the company of a safe haven to get rid of them. . "Disclosure issues are a double edged sword. They can defend themselves … "Ellis," says Ellis. "All of those risk factors have been rolled out by Intel has responded to it."
While the attacks are complex, they also highlight the growing concern that hackers may be able to discover new technologies that have been previously blinded to. That makes it crucial that white hat hackers continue to test away, Ellis says.
"All of these issues were discovered by independent researchers. It was not an intense quality assurance process [at Intel] or their internal security team, "he says. "It was people in the world who got curious to test where the limits are."
[ad_2]
Source link