Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
Medium
Analysis Summary
Vulnerabilities have been reported known as ZombieLoad — or microarchitectural data sampling (MDS) as its technical name — which can leak sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.
These CPU side channel issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) are a set of speculative execution side-channel vulnerabilities which potentially allow results from previous execution on a core to be observed across security boundaries via microarchitectural state, on certain Intel CPUs.
An attacker successfully exploiting these vulnerabilities could read sensitive data from other processes running on the system, breaking the isolation between processes provided by modern operating systems. If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies.
Impact
Affected Vendors
Remediation
The affected vendors are patching these vulnerabilities in their products as follows:
Mozilla:
“The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
Amazon:
All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.
Microsoft:
Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.
Apple
Apple has released security updates in macOS Mojave 10.14.5 to protect against speculative execution vulnerabilities in Intel CPUs.
(The flaws do not affect Apple iOS devices or Apple Watch)
Google:
Android devices aren’t affected but Intel-only devices will need to be patched once updates are available.
Chrome OS has disabled Hyper-Threading on Chrome OS 74 and subsequent versions. This provides protection against attacks using MDS.
macOS Mojave 10.14.5 includes MDS mitigations. These have been adopted by Chrome and will be included in Chrome 75.
Windows users should apply updates with MDS mitigations as soon as they are available
Linux users should apply kernel and CPU microcode updates as soon as they are available from their distribution vendor, and follow any guidance to adjust system settings.
Apple iOS devices use CPUs not known to be vulnerable to MDS.
Only Intel-based systems need to be patched once updates are available.