Microsoft also warns of ‘wormable’ RDP flaw in latest Patch Tuesday update

Almost every Intel processor produced since 2011 is vulnerable to a new microprocessor vulnerability, dubbed ZombieLoad.

ZombieLoad creates a means for attackers to steal sensitive information from processor memory, making it comparable to the infamous Spectre vulnerability of January 2018.

Mitigation involves applying patches from operating system vendors alongside firmware updates from hardware manufacturers.

The flaw had the potential to affect cloud-based environments. Fortunately, AWS, Microsoft Azure, and GCP have all already hardened their infrastructures.

The vulnerability was discovered by Michael Schwarz, Moritz Lipp, Daniel Gruss of Graz University of Technology, and Jo Van Bulck, from imec-DistriNet, KU Leuven.

Schwarz described ZombieLoad as a new “Meltdown attack on Intel CPUs leaking data which is currently loaded from memory – across programs, hyperthreads, SGX, and VMs [virtual machines]”.

Whether applying updates will incur a performance hit is unclear but "probable", according to Gruss, one of the researchers who uncovered the flaw. In response to a request to comment on the vulnerability, Intel told The Daily Swig that it had the issue under control.

“Microarchitectural Data Sampling (MDS) is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family,” it said.

“For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today.

“We’ve provided more information on our website and continue to encourage everyone to keep their systems up to date, as its one of the best ways to stay protected. We’d like to extend our thanks to the researchers who worked with us and our industry partners for their contributions to the coordinated disclosure of these issues.”

Intel has published a table outlining hardware mitigations as well as a guide for software developers.

RDP peril

Microsoft’s update to address ZombieLoad arrived as part of the latest Patch Tuesday, a bumper edition that collectively tackles 79 vulnerabilities.

The patch batch tackles a total of 23 critical vulnerabilities, one of which is under active attack in the wild, and therefore ought to be considered as a priority for security triage.

CVE-2019-0863, a vulnerability in way Windows Error Reporting (WER) handles files to run privilege escalation attacks, is currently being abused.

A remote code execution vulnerability in Windows Remote Desktop Services (CVE-2019-0708) likely presents an even greater threat. The flaw – which affects Windows 7 and Windows Server 2008 – creates a means to remotely push malware onto vulnerable systems without authentication.

The CVSS V3 score for this vulnerability is 9.8, close to the maximum possible of 10.

To exploit the vulnerability, an attacker would connect to the target system using RDP and send specially crafted requests.

Microsoft warns that the vulnerability could lend itself to exploitation by a worm akin to the infamous WannaCry malware, and is going out of its way to urge sys admins to apply its CVE-2019-0708 antidote.

Another remote execution vulnerability in the batch affecting GDI+ (Windows Graphics Device Interface) could be triggered, providing attackers trick intended victims into opening booby-trapped emails or instant message communications.

Microsoft's rundown of advisories in May’s edition of Patch Tuesday covers these and other bugs in more detail.


RELATED Billion-dollar blue team: MSRC spearheads Microsoft’s security defense