New week, new punching bag: this time, Intel returns to the spotlight with yet another flaw in its CPUs, up to and including the most recent 9th generation processors as well as going back as far as ones produced in 2008. This week has been absolutely bananas for technology issues so I’m going to keep the literary gymnastics to a minimum. Truth be told, I’m still trying to wrap my head around the technical details of this latest exploit, but here’s a simplified explanation of what I understand so far.
What this means for you: apply updates and stay patched!
Two independent groups of researchers as well as Intel themselves have been quietly working on identifying a new, serious exploit in how Intel CPUs operate. Unlike typical security flaws that can be patched with software, vulnerabilities like this one, dubbed RIDL, Fallout, or MDS (depending on who you talk to) are a result of how the CPU was designed to operate. This new flaw, along side the two previously announced Spectre (2017) and Fallout (2018) vulnerabilities, fall into a class of exploits that are based on a core design of Intel architecture originally built to help computers run faster. Put as simply, predictive processing guesses what the CPU is going to be asked to do next and have the necessary code or data already loaded into nearby caches. Previous exploits looked at the predictions, and the latest basically looks at the guesses that turned out to be wrong or unused. Each discarded guess only contains a few bytes of data, but given a focused attack repeated thousands or millions of times, the leaked data can eventually be amassed into a significant security breach.
Interestingly enough, Intel has known about this particular flaw for an undisclosed amount of time, and has already been working with major industry players like Microsoft, Google, Apple and the usual Windows PC manufacturers to patch or mitigate the vulnerability, which may or may not already be applied to your equipment. At this point, unless you really like reading technical bulletins like this one, I’d recommend paying close attention to update notifications from your computer’s manufacturer as well as applying security patches to your various devices, regardless of their business or personal focus. As with the previous two vulnerabilities, Intel and manufacturers are being cagey about pointing out exactly which updates might be addressing this particular issue, or even if they’ve already been fixed (as many manufacturers will assert), and Intel itself is downplaying the severity of the flaw, despite differing opinions from the independent research groups. Intel discounts the severity based upon the relative sophistication required to exploit the flaw, but researchers rightly point out that though the flaw may be hard to exploit, the data it exposes is highly sensitive and previously thought completely secure.