A group of university researchers reported ZombieLoad 2 attack on Intel's newer line of CPUs. The other team of researchers found two CPU vulnerabilities in the TPM chips manufactured by STMicroelectronics or firmware-based Intel TPMs.
In the headlines
A group of university researchers, who also helped uncover the infamous Spectre and Meltdown flaws, reported a new variant of ZombieLoad that exploits the Transactional Synchronization Extensions (TSX) Asynchronous Abort operation in Intel processors. Dubbed as CVE-2019-11135, ZombieLoad v2 works against older as well as recent Intel processors including Cascade Lake as per an advisory released by Intel. The first variant of ZombieLoad was discovered earlier this year in May.
Meanwhile, another team of cybersecurity researchers have recently disclosed the details of two severe CPU vulnerabilities:
These two flaws are together referred to as TPM-Fail vulnerabilities. It allows attackers to retrieve cryptographic keys protected inside Trusted Platform Module (TPM) chips which are part of many modern processors. The research team has also published a proof-of-concept exploit on Github. The affected chips are deployed in billions of devices including desktops, laptops, smartphones, servers, and Internet-of-Things (IoT) devices.
Threat potential of new findings
ZombieLoad v2, just like the Spectre and Meltdown, exploits the speculative execution technique modern microprocessors use to speed up their operation.
The TPM-Fail vulnerabilities, on the other side, can be exploited by an adversary to leverage a timing-based side-channel attack to recover cryptographic keys.
Patch Tuesday patched it all
As per Intel, the ZombieLoad v2 vulnerability (which Intel tracks as "TAA attack" in its own documentation) is not as threatening as claimed by the researchers.
Microsoft has provided customers with guidance to disable the Intel TSX capability on systems featuring vulnerable Intel processors to block potential ZombieLoad 2 attacks.
Article Updated on November 14 to mention guidance issued by Microsoft.