Security News

Intel on Tuesday issued an out-of-band security update to address a privilege escalation vulnerability in recent server and personal computer chips. The flaw, designated INTEL-SA-00950 and given a CVSS 3.0 score of 8.8 out of 10, affects Intel Sapphire Rapids, Alder Lake, and Raptor Lake chip families.

Intel has been sued by a handful of PC buyers who claim the x86 goliath failed to act when informed five years ago about faulty chip instructions that allowed the recent Downfall vulnerability, and during that period sold billions of insecure chips. The lawsuit [PDF], filed on behalf of five plaintiffs in a US federal court in San Jose, California, claims Intel knew about the susceptibility of its AVX instruction set to side-channel attacks since 2018, but didn't fix the defect until the disclosure of the Downfall hole this year, leaving affected computer buyers with no other option than to apply a patch that slows performance by as much as 50 percent.

Unlike other CPU fuzzers, Cascade can construct long random programs that manage the control flow during execution. What separates Cascade from similar tools is that it relies on a technique called asymmetric ISA pre-simulation.

The implication, made explicit by the thesis index that references the footnote as "Cavium CPU backdoor," is that Cavium secretly compromised some of its chips to accommodate US intelligence efforts, providing a way for snoops to somehow access devices powered by those semiconductors. "Marvell places the highest priority on the security of its products," a spokesperson told The Register.

AMD has started issuing some patches for its processors affected by a serious silicon-level bug dubbed Zenbleed that can be exploited by rogue users and malware to steal passwords, cryptographic keys, and other secrets from software running on a vulnerable system. Exploiting Zenbleed involves abusing speculative execution, though unlike the related Spectre family of design flaws, the bug is pretty easy to exploit.

Cold boot attacks, in which memory chips can be chilled and data including encryption keys plundered, were demonstrated way back in 2008 - but they just got automated. The presentation focuses on a Cryo-Mechanical RAM Content Extraction Robot that Cui and colleagues Grant Skipper and Yuanzhe Wu developed to collect decrypted data from DDR3 memory modules.

China has banned U.S. chip maker Micron from selling its products to Chinese companies working on key infrastructure projects, citing national security risks. The development comes nearly two months after the country's cybersecurity authority initiated a probe in late March 2023 to assess potential network security risks.

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction. The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Blocked by the British government from acquiring Newport Wafer Fab - Britain's largest chip factory - Nexperia has solicited the help of US law firm Akin Gump in the hopes of overturning the ban. Nexperia is a Netherlands-based company that was acquired in 2018 by China-based Wingtech Technology.

Attempts to reorganize supply chains to cut out China and foil its attempts to build a high-tech chip industry will be costly and may simply cause the Middle Kingdom to redouble its efforts, says memory maker Kioxia. Flores said China would likely retaliate against the recently announced US export controls by ramping up domestic investment in NAND as a long-term solution to its chip supply issues.