Security News

Intel has fixed a high-severity CPU vulnerability in its modern desktop, server, mobile, and embedded CPUs, including the latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures. "Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege from CPL3 to CPL0," Intel said.

A new software-based fault injection attack, CacheWarp, can let threat actors hack into AMD SEV-protected virtual machines by targeting memory writes to escalate privileges and gain remote code execution. This new attack exploits flaws in AMD's Secure Encrypted Virtualization-Encrypted State and Secure Encrypted Virtualization-Secure Nested Paging tech designed to protect against malicious hypervisors and reduce the attack surface of VMs by encrypting VM data and blocking attempts to alter it in any way.

A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware. [...]

A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the...

Downfall Vulnerability Affects Millions of Intel CPUs With Strong Data Leak Impact Learn technical details about this newly disclosed security vulnerability, as well as mitigation recommendations from the Google researcher who discovered it. Google researcher Daniel Moghimi discovered a new vulnerability affecting millions of Intel chip models.

AMD processor users, you have another data-leaking vulnerability to deal with: like Zenbleed, this latest hole can be to steal sensitive data from a running vulnerable machine. Inception utilizes a previously disclosed vulnerability alongside a novel kind of transient execution attack, which the researchers refer to as training in transient execution, to leak information from an operating system kernel at a rate of 39 bytes per second on vulnerable hardware.

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. "Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi, senior research scientist at Google, said.

A senior research scientist at Google has devised new CPU attacks to exploit a vulnerability dubbed Downfall that affects multiple Intel microprocessor families and allows stealing passwords, encryption keys, and private data like emails, messages, or banking info from users that share the same computer. Moghimi developed two Downfall attack techniques, Gather Data Sampling - which is also the name Intel uses to refer to the issue and Gather Value Injection - which combines GDS with the Load Value Injection technique disclosed in 2020.

Researchers have discovered a new and powerful transient execution attack called 'Inception' that can leak privileged secrets and data using unprivileged processes on all AMD Zen CPUs, including the latest models. Researchers at ETH Zurich have now combined an older technique named 'Phantom speculation' with a new transient execution attack called 'Training in Transient Execution' to create an even more powerful 'Inception' attack.

A new software-based power side-channel attack called 'Collide+Power' was discovered, impacting almost all CPUs and potentially allowing data to leak. The main concept of Collide+Power is to leak data from measured CPU power consumption values when a data "Collision" between the attacker's dataset and data sent by other applications to overwrite the former happens in CPU cache memory.