A year after Meltdown and Spectre, security researchers are still announcing new serious risks from low-level chip operations

Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together.

Spectre and Meltdown represented a new class of never-seen-before attacks, and as news of their existence percolated through security circles, it sparked a scavenger hunt for more errors of their sort, with many more coming to light.

Intel calls these "Microarchitectural Data Sampling" (MDS) attacks, and now a team of industry and academic researchers (some of whom worked on the original Spectre/Meltdown papers) have gone public with a new set of MDS bugs that Intel was given advance notice of (some of these bugs were discovered more than a year ago). All but the most recent Intel chips are vulnerable to these attacks (you can check your system here).

The researchers have dubbed the new defects CPU Fail, and they have disclosed three CPU Fail attacks: Zombieload, RIDL, and Fallout, which they class as "less serious than Meltdown but worse than Spectre."

The specifics vary for each defect, but the most significant fact about them is that they can force CPUs to reveal data that's private to another process running on the same system. That means that an attacker can run code on a cloud computer that gives them access to other virtual machines running on the same hardware -- or they can run Javascript in your browser window and steel secrets from your password manager. Read the rest