Intel Releases Microcode Update for CPUs Affected by Zombieload v2
In May this year, I reported on Petri that Intel CPUs were affected by a new kind of side-channel attack dubbed Zombieload, or a Microarchitectural Data Sampling (MDS) attack as it is officially known. Zombieload, like Spectre and Meltdown before it, relies on a speculative execution performance optimization feature to speed up data processing. MDS attacks like Zombieload attack a CPU’s microarchitectural data structures in the load, store, and line fill buffers that are used for fast I/O operations.
May’s quality update for Windows 10 included changes to the OS to protect against Zomebieload but it also required a microcode (CPU firmware) update to get full protection. At the time, Microsoft said that the necessary microcode update was included in the OS quality update for some versions of Windows 10 and that the microcode would be made available for all supported versions of Windows 10 as Intel made the microcode available.
Zombieload v2 Late for Halloween
Roll forward to November 2019, and researchers have released information about Zombieload v2. It was a previously known vulnerability, but details weren’t disclosed because it has taken until now for Intel to develop the necessary microcode updates. Zombieload v2 works against Intel’s latest CPUs, despite the company claiming that Cascade Lake had protection against this kind of attack integrated into the hardware. Zombieload v2 uses a flaw in Intel’s Transactional Synchronization Extensions (TSX) technology to read data being processed by the CPU, which Intel calls TSX Asynchronous Abort (TAA).
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Because the attack works on any CPU that supports TSX, processors dating back to Haswell through to Intel’s latest are affected. But the good news is that Zombieload v2 is hard to exploit and it can’t be used to pick out specific data that a CPU is processing, meaning it isn’t an effective way for hackers to steal data.
The researchers who discovered Zombieload v2 also found that the microcode changes Intel issued to protect CPUs against Zombieload v1 could be circumvented. Intel has acknowledged the issue and says that the microcode updates were designed to reduce the attack surface but couldn’t necessarily provide complete protection. Intel says:
We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface. Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates.
Stay Current with Windows and Device Manufacturer Updates
Intel has released a microcode update for Zombieload v2 on its website, but as usual Intel recommends receiving updates from system manufacturers. It’s not clear if Microsoft will or has included the microcode update as part of a Windows 10 cumulative update but Microsoft has issued guidance for disabling TSX on CPUs that support the ability to disable the feature. Disabling TSX might be preferable for organizations that don’t want to deal with the performance hit that comes with applying the microcode update. If you are unsure what to do, the best course of action is to make sure that you stay current with Windows updates from Microsoft and firmware and driver updates from your hardware’s manufacturer.