Security researchers who played a role in uncovering the Spectre and Meltdown attacks that targeted microprocessors revealed on Tuesday a new vulnerability in Intel chips which they claim the company failed to address after it was first alerted a year ago.
While Intel has said it’s received no reports of real-world exploits linked to this particular flaw, the potential risk to users is nevertheless significant and serves as the latest example of chip manufacturers struggling with security.
According to the research, the attack is a variant of Zombieload, which targets a class of vulnerabilities Intel calls Microarchitectural Data Sampling (MDS). The attacks have also been referred to as RIDL, or Rogue In-Flight Data Load.
Such attacks may permit a malicious hacker to force a microprocessor to leak potentially sensitive information temporarily stored in its data buffer.
Researchers at Vrije Universiteit in Amsterdam, KU Leuven in Belgium, the German Helmholtz Centre for Information Security, and the Graz University of Technology in Austria collectively disclosed the bug, according to Wired.
Wired’s Andy Greenberg reported that while Intel initially addressed the MDS issues in May it had been warned by Vrije Universiteit of additional, unmitigated issues. The researchers reportedly stayed quiet, at Intel’s request, for fear of informing criminals about the vulnerabilities before they could be addressed.
The researchers also told Greenberg—who speculated the discovery may portend additional vulnerabilities as of yet undisclosed—that they’d managed to develop an attack capable of accessing the Intel chips’ purportedly secured data in mere seconds.
Intel, which has begun issuing patches to address the issue, said in a statement sent to Gizmodo that while its work is not complete, it believes it has “substantively” reduced the potential attack surface. “We continuously improve the techniques available to address such issues and appreciate the academic researchers who have partnered with Intel,” it said.