For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the speculative functionality of its processors. On Monday, the company said it will issue a software update "in the coming weeks" that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws. This latest update comes after the company released two separate patches in May and November of last year.
Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn't work on Intel's more recent chips. Moreover, a hacker can't execute the attack using a web browser. Intel also says it's "not aware" of anyone taking advantage of the flaws outside of the lab.
However, like when the company issued its second MDS patch in November, security researchers are criticizing Intel for its piecemeal approach. "We spent months trying to convince Intel that leaks from L1D evictions were possible and needed to be addressed," the international team of computer scientists that discovered the flaw wrote on their website. In an addendum to their original paper, there's a sense of exasperation with the company. "We reiterate that RIDL-class vulnerabilities are non-trivial to fix or mitigate, and current 'spot' mitigation strategies for resolving these issues are questionable," the researchers write.