A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance reductions "ranging from 2x to 19x," according to a report by The Register. A full mitigation for the new Load Value Injection (LVI) class of vulnerabilities requires Intel to redesign software compilers. The vulnerability is chronicled under CVE-2020-0551 and Intel-SA-00334. It is not a remote code execution threat, however, it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.

"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.Many Thanks to biffzinker for the tip.

AMD in its technical brief revealed that its Zen 2 microarchitecture has hardware mitigation against the Spectre V4 speculative store bypass vulnerability. The current generation "Zen" and "Zen+" microarchitectures have OS-level mitigation. A hardware mitigation typically has less of a performance overhead than a software mitigation deployed at the OS or firmware level. In addition, just like older generations of "Zen," the new "Zen 2" microarchitecture is inherently immune to Meltdown, Foreshadow, Spectre V3a, Lazy FPU, Spoiler, and the recently discovered MDS vulnerability. In comparison, the 9th generation Core "Coffee Lake Refresh" processors still rely on software or microcode-level mitigation for Spectre V4, Spectre V3a, MDS, and RIDL.

ASUS is aware that a new sub-class of speculative execution side-channel vulnerabilities in Intel CPUs, called Microarchitectural Data Sampling (MDS), also known as ZombieLoad, RIDL, and Fallout, may allow information disclosure. Intel states that selected 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family, are not vulnerable to MDS. If you are using one of these processors, no further action is necessary.

For other Intel processors, ASUS is working closely with Intel to provide a solution in a forthcoming BIOS update. We recommend owners of affected products update both the BIOS and operating system as soon as these mitigations are available. Please find our first-wave model list below and download the appropriate BIOS update from the ASUS Support website. More details, including affected systems, will be added to this document as they become available.

Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.Update: (17/05): An Intel spokesperson commented on this story.

AMD in a statement confirmed that its processors are unaffected by the RIDL (Rogue In-Flight Data Load) and Fallout vulnerabilities. The company however worded its statement in CYA language, just to be safe. "...we believe our products are not susceptible to 'Fallout' or 'RIDL' because of the hardware protection checks in our architecture. We have not been able to demonstrate these exploits on AMD products and are unaware of others having done so," reads the AMD statement put out late Tuesday (14th May).

AMD came to these conclusions on the basis of its own testing and discussions with the researchers who discovered RIDL. It's important to note here, that the "Fallout" vulnerability AMD is referring to in this statement is the one which is part of four MDS vulnerabilities Intel disclosed yesterday, and not the identically named "Fallout" vulnerability discovered by CTS Labs in 2018, allegedly affecting secure memory management of AMD "Zen" processors.

Ouch doesn't even begin to describe how much that headline hurt. As far as speculative execution goes, it's been well covered by now, but here's a refresher. Speculative execution essentially means that your CPU tries to think ahead of time on what data may or may not be needed, and processes it before it knows it's needed. The objective is to take advantage of concurrency in the CPU design, keeping processing units that would otherwise be left idle to process and deliver results on the off-chance that they are indeed required by the system: and when they are called for, the CPU saves time by not having to process them on the fly and already having them available.

The flaws have been announced by Intel in coordination with Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle. While some of the parties involved have named the four identified flaws with names such as "ZombieLoad", "Fallout", and RIDL, or "Rogue In-Flight Data Load", Intel is using the PEGI-13 "Microarchitectural Data Sampling (MDS)" name.