Intel has disclosed security vulnerabilities in its processors related to speculative functionality for the third time in less than a year.
“Today we released INTEL-SA-00329, Intel Processors Data Leakage Advisory concerning two vulnerabilities that were publicly disclosed by researchers,” said Intel.
“As part of our commitment to transparency, the advisory has been released before our planned mitigations can be made available and we expect to release mitigations through our normal Intel Platform Update (IPU) process in the near future.”
These microarchitectural data sampling (MDS) flaws – also known as Zombieload flaws – are not as far-reaching as the previous two, Intel explained.
For example, the more severe of the two vulnerabilities – L1DES – has “little to no impact in virtual environments that have applied L1 Terminal Fault mitigations”.
Intel said it was not aware of these flaws being used for malicious purposes in the wild.
Criticism of Intel
The security researchers who discovered these issues have criticised Intel for not addressing them sooner despite the fact that they were brought to Intel’s attention months in advance.
One issue, which would evolve into the L1DES vulnerability, was purposefully omitted from the researchers’ paper in May 2019 as Intel had not yet mitigated the issue.
“Since then, we spent months trying to convince Intel that leaks from L1D evictions were possible and needed to be addressed,” said the researchers.
“We reiterate that RIDL-class vulnerabilities are non-trivial to fix or mitigate, and current ‘spot’ mitigation strategies for resolving these issues are questionable.”