CyberWarfare / ExoWarfare

Intel MDS Vulnerabilities: ZombieLoad, RIDL (Rogue In-Flight Data Load), Fallout, and Store-to-Leak Forwarding – affect almost every Intel chip since 2011

Tech giants have published security advisories and blog posts in response to the Microarchitectural Data Sampling (MDS) vulnerabilities affecting most Intel processors made in the last decade.

Remedy? The microcode updates, like previous patches, would have an impact on processor performance.

The vulnerabilities are related to speculative execution and they can be exploited for side-channel attacks. Researchers started reporting the flaws to Intel in June 2018, but the chip maker said its own researchers found them first. Nevertheless, in addition to its own employees, Intel has credited researchers from several universities and companies for the security holes.

Researchers named the new attack methods

  • ZombieLoad
  • RIDL (Rogue In-Flight Data Load)
  • Fallout
  • Store-to-Leak Forwarding.

Intel has assigned them the following names and CVEs:

  • Microarchitectural Fill Buffer Data Sampling (MFBDS, CVE-2018-12130)
  • Microarchitectural Store Buffer Data Sampling (MSBDS, CVE-2018-12126)
  • Microarchitectural Load Port Data Sampling (MLPDS, CVE-2018-12127)
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM, CVE-2018-11091)

The attack methods pose a threat to both PCs and cloud environments, and they allow hackers to get applications, the operating system, virtual machines and trusted execution environments to leak information, including passwords, website content, disk encryption keys and browser history. Attacks can be launched both by a piece of malware present on the targeted system and from the internet.

However, Intel says exploitation in a real-world attack is not an easy task and the attacker may not be able to obtain valuable information even if the exploit is successful.

The products of several major tech companies are impacted by the flaws and most of them have already published blog posts and advisories providing information on their impact and the availability of patches and mitigations.


Intel says its newer products, such as some 8th and 9th generation Core processors and 2nd generation Xeon Scalable processors, address these vulnerabilities at hardware level. Some of the other affected products have received or will receive microcode updates that should mitigate the flaws. The company has published a technical deep dive and a list that users can check to see if their processors will receive microcode updates.

Intel says the mitigations should have minimal performance impact for a majority of PCs, but performance may be impacted in the case of data center workloads.

Disabling hyper-threading on vulnerable CPUs should prevent exploitation of the vulnerabilities.


Apple informed customers that macOS Mojave 10.14.5 and Security Update 2019-003 for Sierra and High Sierra include the option to enable full mitigation for the MDS attacks. Mojave 10.14.5 also includes a Safari update that should prevent exploitation from the internet.


Microsoft has started releasing software updates for Windows and deployed server-side fixes to its cloud services to mitigate the vulnerabilities. The company has pointed out that in addition to software updates, firmware updates are also required for full protection against attacks.

Microsoft has also released a PowerShell script that users can run on their systems to check the status of speculative execution mitigations.


Google has made available a page where users are informed about the actions they need to take depending on the products they have. The internet giant says its infrastructure, G Suite, and Google Cloud Platform products and services are protected against attacks, but some cloud users may need to take action.

The company says a vast majority of Android devices are not impacted. In the case of Chrome OS devices, Google has disabled hyper-threading by default starting with version 74 and additional mitigations will be available in Chrome OS 75.


VMware told users that the vulnerabilities impact its VMware vCenter Server
, vSphere ESXi, Workstation, Fusion, vCloud Usage Meter, Identity Manager, vCenter Server, vSphere Data Protection, vSphere Integrated Containers, and vRealize Automation products.

The company provides hypervisor-specific mitigations and hypervisor-assisted guest mitigations for the impacted products. These mitigations involve software updates and patches from VMware.

VMware pointed out that exploitation of the flaws requires local access to the targeted virtual machine and the ability to execute code.


IBM says it’s rolling out the microcode updates from Intel and mitigations to its cloud services. The company told users that its POWER processors are not impacted by the MDS vulnerabilities.


Citrix says full mitigation of the Intel chip vulnerabilities involves updates to the Citrix hypervisor and updates to the CPU microcode. The company has released a hotfix for XenServer 7.1, which includes both hypervisor and CPU microcode updates, and it plans on releasing similar hotfixes for other affected products.


A blog post from Oracle describes the impact of the flaws on the company’s hardware, operating systems, and cloud services. X86-based systems need to be assessed by their administrators and Oracle Engineered Systems customers will receive specific guidance from the company.

Oracle SPARC servers and Solaris on SPARC are not impacted, but Solaris on x86 systems is affected. Patches have been released by Oracle for Oracle Linux and VM Server products.


Amazon Web Services (AWS) said on Tuesday that it had deployed protections for MDS attacks to all its infrastructure and no action is required from users. The company has released updated kernels and microcode packages for Amazon Linux AMI 2018.3 and Amazon Linux 2.

Xen Project

The Xen Project says systems running all versions of Xen are affected by the vulnerabilities if they use x86 Intel processors.

Linux distributions

Advisories for the MDS vulnerabilities in Intel processors have been published by Linux kernel developers, Red Hat, Debian, Ubuntu and SUSE. Linux distributions have already started rolling out updates that should mitigate the flaws.

Hardware manufacturers

Many hardware manufacturers whose products use Intel processors are likely affected by the ZombieLoad and RIDL vulnerabilities. However, so far, only Lenovo and HP appear to have started releasing firmware patches for their devices.




New secret-spilling flaw affects almost every Intel chip since 2011

Security researchers have found a new class of vulnerabilities in Intel chips which, if exploited, can be used to steal sensitive information directly from the processor.,

The bugs are reminiscent of Meltdown and Spectre, which exploited a weakness in speculative execution, an important part of how modern processors work. Speculative execution helps processors predict to a certain degree what an application or operating system might need next and in the near-future, making the app run faster and more efficient. The processor will execute its predictions if they’re needed, or discard them if they’re not.

Both Meltdown and Spectre leaked sensitive data stored briefly in the processor, including secrets — such as passwords, secret keys and account tokens, and private messages.

Now some of the same researchers are back with an entirely new round of data-leaking bugs.

“ZombieLoad,” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker just a month ago.

Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.

ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.

Practically, the researchers showed in a proof-of-concept video that the flaws could be exploited to see which websites a person is visiting in real-time, but could be easily repurposed to grab passwords or access tokens used to log into a victim’s online accounts.

Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.

Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware.

Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.

What does this mean for the average user? There’s no need to panic, for one.

These are far from drive-by exploits where an attacker can take over your computer in an instant. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack.

But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said.

There are far easier ways to hack into a computer and steal data. But the focus of the research into speculative execution and side channel attacks remains in its infancy. As more findings come to light, the data-stealing attacks have the potential to become easier to exploit and more streamlined.

But as with any vulnerability where patches are available, install them.

Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips. Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are also affected, as well as all Atom and Knights processors.

But other tech giants, like consumer PC and device manufacturers, are also issuing patches as a first line of defense against possible attacks.

Computer makers Apple and Microsoft and browser makers Google have released patches, with other companies expected to follow.

In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios.

And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user.

But with patches rolling out today, there’s no reason to pass on a chance to prevent such an attack in any eventuality.