What is the Impact of Zombieload?

By now you have likely heard about Zombieload, the latest in a series of vulnerabilities impacting the Intel Core and Xeon processors that power your endpoints. Of course, it’s not the vulnerability itself (appearing in proc’s made after 2011) that impacts your computing power – it’s the ‘fix’ that Intel has issued to remove the risk of potential ‘cache voyeurs’ observing data recently pushed through the speculative execution side-channel – otherwise known as Microarchitectural Data Sampling (MDS). The reason you should be concerned, or even outraged, is that by some estimates the “fix” could sap as much as 40% of the processing power.

The reason ‘fix’ is in inverted commas, is that Intel seems to have disabled predictive compute, rather than addressing the issue at its core (no pun intended). If the concern is that threat actors can exploit a rule, that is supposed to keep data within the side-channel from being exposed, I call for a better rule, rather than simply disabling this critical feature.

In the context of having already lost so much compute to Foreshadow (10% – 30%), Spectre/Meltdown (another 30%), another 40% hit from ZombieLoad means I’m looking at performance that pales by comparison to what I was sold. This should be a huge blow to Intel, yet their shares closed 1% higher on the day of the news! Time will tell if that persists… Perhaps it’s because the solution will be to buy new servers, either with cores that aren’t vulnerable to predictive execution side-channel exploits, or simply 40% more power to offset the performance hit. This appears to be how some big cloud infrastructure providers are mitigating the impact to their business end-users – by dumping more iron behind them.

My real concern is for the small to medium sized organizations who can’t readily afford (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: