Security News

Intel is warning of a high-severity flaw in the firmware of its converged security and management engine, which if exploited could allow privilege escalation, denial of service and information disclosure. Another critical flaw discovered in May could allow an authenticated user to enable escalation of privilege over network access in CSME. Overall, Intel patched six flaws on Tuesday, including the high-severity flaw in CSME. The remainder of the vulnerabilities were medium and low-severity.

Forget the infamous Meltdown and Spectre chip flaws from 2018, the problem that's tying down Intel's patching team these days is a more recent class of side channel vulnerabilities known collectively as ZombieLoad. These relate to a data leakage problem called Microarchitectural Data Sampling affecting Intel's speculative execution technology introduced in the late 1990s to improve chip performance. ZombieLoad was originally made public by researchers last May as part of a triplet of hypothetical issues which included two others, Fallout and Rogue In-Flight Data Load, affecting post-2011 Intel processors.

Researchers have identified a new speculative execution type attack, dubbed CacheOut, that could allow attackers to trigger data leaks from most Intel CPUs. The more serious of the two CacheOut bugs, tracked as CVE-2020-0549, is a CPU vulnerability that allows an attacker to target data stored within the OS kernel, co-resident virtual machines and even within Intel's Software Guard Extensions enclave, a trusted execution environment on Intel processors.

Intel on Monday issued a processor data leakage advisory, describing two chip architecture flaws, one of which it tried to fix twice before. Intel's microcode fix involved using the VERW instruction and the L1D FLUSH command to overwrite the store buffer value, to prevent buffer data from being read. But Intel's initial fix in May failed.

Intel on Monday informed customers that researchers have identified yet another speculative execution attack method that can be launched against systems that use its processors. The disclosure of the Meltdown and Spectre vulnerabilities back in January 2018 paved the way for the discovery of several speculative execution side-channel attack methods impacting modern processors.

If your computer is running any modern Intel CPU built before October 2018, it's likely vulnerable to a newly discovered hardware issue that could allow attackers to leak sensitive data from the OS kernel, co-resident virtual machines, and even from Intel's secured SGX enclave. Dubbed CacheOut a.k.a. L1 Data Eviction Sampling and assigned CVE-2020-0549, the new microarchitectural attack allows an attacker to choose which data to leak from the CPU's L1 Cache, unlike previously demonstrated MDS attacks where attackers need to wait for the targeted data to be available.

Intel is warning of a high-severity vulnerability in its performance analysis tool called Intel VTune Profiler. "Improper access control in driver for Intel VTune Amplifier for Windows before update 8 may allow an authenticated user to potentially enable escalation of privilege via local access," according to an Intel security update.

Ping An Insurance announced that Ping An Technology and Intel signed a strategic collaboration agreement in Shenzhen, China. The two companies plan to establish a joint laboratory, cooperate on products and technology, and form a joint project team in areas of high-performance computing, including storage, network, cloud, artificial intelligence and security.

A gentle guide to enclaves and trusted execution environments Sponsored Data and code are the lifeblood of digital organisations, and increasingly these are shared with others in order to achieve...

A vulnerability Intel has addressed in the Rapid Storage Technology (RST) could allow a local user to escalate privileges to System. Intel RST is a Windows-based application that is provided with...