For the third time in a year, Intel is preparing to release a patch to address two microarchitectural data sampling (MDS) flaws, also known as Zombieland flaws.
According to the company’s blog post, of these two new issues, one is considered low risk and the other medium. Both of them require authenticated local access, meaning a hacker should not be able to remotely exploit these flaws. These new issues are closely related to issues that were addressed in May and November 2019, as Intel has worked to progressively reduce the MDS vulnerability.
“These issues are closely related to INTEL-SA-00233, released in November 2019, which addressed an issue called Transactional Synchronization Extensions (TSX) Asynchronous Abort, or TAA,” writes Jerry Bryant, Director of security communication in the Intel Platform Assurance and Security group. “At the time, we confirmed the possibility that some amount of data could still potentially be inferred through a side-channel and would be addressed in future microcode updates.
“Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues. We continue to conduct research in this area – internally, and in conjunction with the external research community.”
Intel has faced intense criticism from security researchers for its decision to address these vulnerabilities in phases, rather than taking an immediate, comprehensive approach to fixing them.
In the meantime, the latest patch should be available “in the near future.”