Computer bugs: from a moth in the relay to ZombiLoad and beyond

by Marius Marinescu / 9 September

These days, bugs are far more complex than a moth stacked between relay contacts in a computer. In fact, in the past 2-3 years, a new class of bugs (that we now call vulnerabilities) were found directly in Intel processor chips, making them especially hard to detect and get rid of. If exploited, they can be used to steal sensitive information directly from the processor

The bugs are reminiscent of Meltdown and Spectre from 2018, which exploited a weakness in speculative execution, an important part of how modern processors work. Speculative execution helps processors predict to a certain degree what an application or operating system might need next and in the near-future, making the app run faster and more efficient. The processor will execute its predictions, if they’re needed, or discard them, if they’re not.


Both Meltdown and Spectre bugs leaked sensitive data stored briefly in the processor, including secrets such as passwords, secret keys and account tokens, and private messages.


Now some of the same researchers are back with an entirely new round of data-leaking bugs. “ZombieLoad” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker in April 2020.


Almost every computer with an Intel chips dating back to 2011 is affected by the vulnerabilities.


ZombieLoad takes its name from a “zombie load”, an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.


Practically, the researchers showed in a proof-of-concept video that the flaws could be exploited to see which websites a person is visiting in real-time, but could be easily repurposed to grab passwords or access tokens used to log into a victim’s online accounts.


Like Meltdown and Spectre, it’s not just PCs and laptops that are affected by ZombieLoad – the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.


Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.


What does this mean for the average user? There’s no need to panic, for one. These are far from drive-by exploits where an attacker can take over your computer in an instant. Researchers said it was “easier than Spectre” but “more difficult than Meltdown” to exploit and both required a specific set of skills and effort to use in an attack.


There are far easier ways to hack into a computer and steal data. But the focus of the research into speculative execution and side channel attacks remains in its infancy. As more findings come to light, the data-stealing attacks have the potential to become easier to exploit and more streamlined.


Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips. Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are also affected, as well as all Atom and Knights processors.


But other tech giants, like consumer PC and device manufacturers, are also issuing patches as a first line of defense against possible attacks. Computer and operating system makers Apple and Microsoft and browser maker Google have released patches, with other companies expected to follow.


Intel said the latest microcode updates, like previous patches, would have an impact on processor performance. Most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment.


But with patches rolling out for the past few months, there’s no reason to pass on a chance to prevent such an attack.