More signal. Less noise.

Daily briefing.

May 15, 2019

Another set of speculative execution flaws similar to Spectre and Meltdown has been found in Intel chips. As VentureBeat explains, the four vulnerabilities (which Intel calls "Microarchitectural Data Sampling" issues, and others "ZombieLoad") enable sidechannel attacks. Researchers at the Vrije Universiteit Amsterdam identified the three Rogue In-Flight Data Load issues. The remaining MDS problem, "Fallout," was discovered by an international team drawn from the University of Michigan, Worcester Polytechnic Institute, Graz University of Technology, KU Leuven, the University of Adelaide, and Data61.

Siemens, Apple, Adobe, and Microsoft all patched yesterday. Apple's patches addressed, among other things, the ZombieLoad sidechannel vulnerability in its products' Intel chips. Cupertino wasn't alone in working on ZombieLoad. As TechCrunch reports, Amazon, Google, Mozilla, and Microsoft also took on the speculative execution flaw. Intel itself has released a set of mitigations for the vulnerability. Fixes for ZombieLoad are thought likely to degrade CPU performance by twenty to forty percent.

Microsoft released sixteen updates in total, resolving seventy-nine distinct vulnerabilities. One involved a bug that could be exploited by a WannaCry-like worm, and Redmond drew particular attention to this issue. It was judged serious enough that Microsoft patched beyond end-of-life software including Windows XP and Windows 2003. Although no longer supported, both remain in wide use.

Siemens addressed issues in its industrial control systems, and Adobe fixed problems with several products, including Acrobat and Reader.

Endpoint protection shop CrowdStrike has filed for its long-expected initial public offering. The company's S-1 reached the Securities and Exchange Commission yesterday.