Are you Protected?

It has been a little over a year since Spectre was revealed, a flaw in the Intel and AMD processors that allowed sensitive data to be revealed to attackers using a timing attack. Fast forward to today, security analysts have discovered another flaw in the Intel chip.  It allows attackers to eavesdrop on the raw data that a victim’s CPU comes in contact with.

This new vulnerability has been labeled Microarchitectural Data Sampling, or MDS. Researchers found that attackers can use speculative execution to trick Intel’s processors into gathering sensitive data moving from one component of the chip to another.  Sensitive data the attacker can retrieve include things such as websites the user is surfing, their passwords, or even secret keys to decrypt the users encrypted data.  Intel had requested all the research analysts to keep their findings secret until fixes could be released for the vulnerabilities, allowing Intel more than a year to work on a patch for this vulnerability.

  • Until the microcode updates are available, Microsoft has published OS-level updates to address the MDS vulnerabilities.
  • Apple has deployed patches to mitigate MDS attacks with macOS Mojave 10.14.5.  This update prevents the exploitation of these vulnerabilities via JavaScript.  According to Apple, iOS devices use CPUs not know to the MDS vulnerability so there is no special mitigation necessary.
  • Google published a help page that lists the status of each of their devices and how it is impacted by the MDS attacks.  Googles cloud infrastructure has already received all the appropriate patches.  G-Suite and Google App customers don’t have to do anything.  According to Google, Android users are not impacted.  OS-level patches should protect Chrome browser users.
  • Amazon has already patched and applied mitigations to protect its cloud servers.