如果您拥有英特尔处理器...那么您需要看看这个!
Taken from Engadget … For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the speculative functionality of its processors. On Monday, the companysaid it will issue a software update“in the coming weeks” that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws. This latest update comes after the company released two separate patches in可能和Novemberof last year.
Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn’t work on Intel’s more recent chips. Moreover, a hacker can’t execute the attack using a web browser. Intel also says it’s “not aware” of anyone taking advantage of the flaws outside of the lab.
 Today we released英特尔-SA-00329,英特尔®处理器关于研究人员公开披露的两个漏洞的数据泄露咨询。作为我们对透明度承诺的一部分,咨询已在我们的计划减轻之前发布,我们希望通过我们的正常英特尔平台更新(IPU)在不久的将来发布缓解。 These issues are closely related toINTEL-SA-00233, released in November 2019, which addressed an issue called Transactional Synchronization Extensions (TSX) Asynchronous Abort, or TAA. At the time,我们确认了这种可能性仍然可能通过侧视通道推断出一些数据,并且将在未来的微代码更新中解决。 Since May 2019, starting withMicroarchitectural Data Sampling (MDS)然后,在11月与TAA,我们和我们的系统软件合作伙伴发布了累积的缓解,并大大减少了这些类型的问题的整体攻击面。我们继续在内部进行该地区进行研究,并与外部研究界一起进行。 More information about INTEL-SA-00329: CVE-2020-0548 is an information disclosure vulnerability with a CVSS score of 2.8, low, referred to as Vector Register Sampling. This issue is rated “low” as the user would first need to be authenticated on the target system, the high complexity of an attack, and low confidence in the attacker’s ability to target and retrieve relevant data. For more information on Vector Register Sampling, see the Intel whitepaper and affected products: CVE-2020-0549 is also an information disclosure vulnerability requiring authenticated local access. The CVSS score is 6.5, medium. Referred to as L1D Eviction Sampling, the severity score is higher on this one because the attack complexity is lower and the ability to target specific data higher. This vulnerability has little to no impact in virtual environments that have appliedL1终端故障缓解。 来源: |
