Ugh, what do we know, of course it gets far, far worse...
Intel actively uses NDAs to silence the security teams and lie to its customers. Now those NDAs ran out on November 12th so we get to check what Intel prevented from being disclosed. Above "new" Zombiload ain't new,
"new" TSX Asynchronous Abort ain't new. Intel told us we could be secured against with software updates? No,
the wording of choice is rather "mitigate any potential security threats", and stuff like Jump Conditional Code is not even being handled as security issue, but is bound to
reduce gaming performance some more.
But back to Intel's (ab)use of NDAs, part of the security team that found Zombiload is from Austrian Technical University of Graz, and German language
futurezone.at did an interview with its member Daniel Gruss (going to paraphrase his major answers):
- When Intel falsely claimed Cascade Lake were not affected by Zombiload the team couldn't object due to the NDA.
- The NDA was extended to November on very short notice. Now it looks it was only done to not endanger sales of the then upcoming products (i.e. mislead the customers).
- Thinks no software can fix the vulnerabilities, suggests turning off TSX, and in general Hyper Threading.
Timeline of the MDS Attack disclosure (bolded text is from source):
On Sep 29, 2018, we submitted several proof-of-concept exploits (PoCs) for a number of RIDL variants to Intel. Despite our many attempts, we received no technical feedback/questions on our submission except that Intel was working on the mitigations.
In fact, due to a lack of transparency on Intel's part, we only got a complete picture on Intel's MDS disclosure plan on May 10, 2019, just 4 days before public disclosure. We were able to find the microcode updates published by Intel online and tested them on May 11. We quickly found that Intel's fixes did not fully mitigate the vulnerabilities we had reported in Sep 2018 and immediately informed Intel.
On May 13, 2019, just one day from the RIDL/MDS public disclosure date, Intel requested TAA and any other RIDL issues that were not mentioned in the MDS whitepaper to be placed under a new last-minute embargo until Nov 12, 2019. At the request of Intel, and to protect users, we complied to the new embargo, withheld several details from the RIDL paper (leaving only some traces of our results in Table I), and did not release our now public RIDL test suite.
On July 3, 2019, we finally learned that, to our surprise, the Intel PSIRT team had missed the PoCs from our Sep 29 submission, despite having awarded a bounty for it, explaining why Intel had failed to address - or even publicly acknowledge - many RIDL-class vulnerabilities on May 14, 2019.
On Oct 15, 2019, we learned that Intel had not found this issue internally and the only other independent finder was the Zombieload team, which disclosed TAA to Intel in April, 2019.
On Oct 25, 2019, we tested Intel's latest microcode update, and still saw leaks with the VERW mitigation enabled, using the RIDL PoCs we shared with Intel in May 2019. We notified Intel and shared a polished PoC to make the issue clear. Intel requested a new embargo and yet suggested adding the following to our RIDL addendum: "A new microcode update release by Intel in November is required to adequately address the issue".
On Nov 12, 2019, TAA and the other scheduled RIDL issues are disclosed. Unfortunately, we believe that, given the piecemeal (variant-by-variant) mitigation approach pursued by Intel, RIDL-class vulnerabilities won't disappear any time soon.
Everybody involved in this continuous mess at Intel needs to have a long hard look into the mirror (and ideally change profession thereafter).