The flaw, referred to generally as Microarchitectural Data Sampling (MDS) or “ZombieLoad,” can affect any operating system running on Intel processors. That includes Windows, Apple’s macOS, and Google's Chrome OS. All of those companies have released advisories or patches addressing the problem.
Similar to last year’s Spectre and Meltdown vulnerabilities that affected Intel chips, the flaw is a so-called "speculative execution side channel" vulnerability.
The upshot is, sensitive user information such as browser history, website content, user keys, passwords, and disk encryption keys, could be pilfered, says Zombieloadattack, a website hosted by Graz University of Technology, one of the organizations that spotted the vulnerability.
“This vulnerability represents a scary reality… Cyber attackers are exploiting the identities of machines to obtain sensitive data,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Fox News in a statement.
Digital keys and certificates are especially at risk, according to Bocek. These “are all incredibly valuable targets and chip vulnerabilities make it possible for attackers to make off with these critical security assets when running on nearby cloud and virtual machines,” he said, referring to the fact that the flaw also affects systems in the cloud.
Intel says not to worry -- yet
“There are no know exploits of MDS outside of a research environment…and doing so successfully in the real world is a complex undertaking,” Bryan Jorgensen, Intel's senior director of product assurance and security, said in a video statement.
“Even so, Intel has released microcode updates to help address this potential risk. These updates…are being delivered through firmware updates from your system manufacturer,” he said, referring to software that controls specific hardware on a computer.
Jorgensen did caution however that “with a large enough data sample, time, or control of the target system’s behavior…MDS might provide an attacker with ways to glimpse pieces of information that they shouldn’t be able to see,” he said.
Intel says the MDS vulnerability is addressed in hardware starting with “select” 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family.
“We expect all future Intel processors to include hardware mitigations addressing these vulnerabilities,” Intel said in a statement on its website.
As noted above, for products where MDS is not addressed in hardware, Intel is releasing processor microcode updates (MCU) as part of a regular update process with computer manufacturers. These are done in tandem with operating system updates.
Jorgensen said Intel was the first to find the vulnerabilities.
Antivirus software won't work
Don’t count on antivirus software to detect or block an attack.
“While possible in theory, this is unlikely in practice,” said CPU.fail, a site also hosted by Graz University of Technology.
“However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known,” the site said.