- Joined
- Jan 5, 2006
- Messages
- 18,430 (2.72/day)
| System Name | AlderLake / Laptop |
|---|---|
| Processor | Intel i7 12700K P-Cores @ 5Ghz / Intel i3 7100U |
| Motherboard | Gigabyte Z690 Aorus Master / HP 83A3 (U3E1) |
| Cooling | Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans / Fan |
| Memory | 32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36 / 8GB DDR4 HyperX CL13 |
| Video Card(s) | MSI RTX 2070 Super Gaming X Trio / Intel HD620 |
| Storage | Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 / Samsung 256GB M.2 SSD |
| Display(s) | 23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy |
| Case | Be quiet! Silent Base 600 - Window / HP Pavilion |
| Audio Device(s) | Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533 |
| Power Supply | Seasonic Focus Plus Gold 750W / Powerbrick |
| Mouse | Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless |
| Keyboard | RAPOO E9270P Black 5GHz wireless / HP backlit |
| Software | Windows 11 / Windows 10 |
| Benchmark Scores | Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock |
Researchers from four American universities have developed a new GPU side-channel attack that leverages data compression to leak sensitive visual data from modern graphics cards when visiting web pages.
The researchers have demonstrated the effectiveness of this 'GPU.zip' attack by performing cross-origin SVG filter pixel-stealing attacks through the Chrome browser.
The researchers disclosed the vulnerability to impacted video card manufacturers in March 2023. However, as of September 2023, no affected GPU vendors (AMD, Apple, Arm, NVIDIA, Qualcomm) or Google (Chrome) have rolled out patches to address the problem.
The new flaw is outlined in a paper from researchers at the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign and will appear in the 45th IEEE Symposium on Security and Privacy.
The fact that none of the impacted vendors have decided to fix the issue by optimizing their data compression approach and limiting its operation to non-sensitive cases further raises the risk.
Although GPU.zip potentially impacts the vast majority of laptops, smartphones, tablets, and desktop PCs worldwide, the immediate impact on users is moderated by the complexity and time required to perform the attack.
Also, websites that deny cross-origin iframe embedding cannot be used for leaking user data through this or similar side-channel attacks.
"Most sensitive websites already deny being embedded by cross-origin websites. As a result, they are not vulnerable to the pixel stealing attack we mounted using GPU.zip," explains the researchers in a FAQ on the team's website.
Finally, the researchers note that Firefox and Safari do not meet all the criteria needed for GPU.zip to work, such as allowing cross-origin iframes to be loaded with cookies, rendering SVG filters on iframes, and delegating rendering tasks to the GPU.
Update 9/28 - An Intel spokesperson has sent BleepingComputer the following comment regarding the GPU.zip risk and its impact on the firm's products:
More:
www.bleepingcomputer.com
www.hertzbleed.com
The researchers have demonstrated the effectiveness of this 'GPU.zip' attack by performing cross-origin SVG filter pixel-stealing attacks through the Chrome browser.
The researchers disclosed the vulnerability to impacted video card manufacturers in March 2023. However, as of September 2023, no affected GPU vendors (AMD, Apple, Arm, NVIDIA, Qualcomm) or Google (Chrome) have rolled out patches to address the problem.
The new flaw is outlined in a paper from researchers at the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign and will appear in the 45th IEEE Symposium on Security and Privacy.
GPU.zip severity
GPU.zip impacts almost all major GPU manufacturers, including AMD, Apple, Arm, Intel, Qualcomm, and NVIDIA, but not all cards are equally affected.The fact that none of the impacted vendors have decided to fix the issue by optimizing their data compression approach and limiting its operation to non-sensitive cases further raises the risk.
Although GPU.zip potentially impacts the vast majority of laptops, smartphones, tablets, and desktop PCs worldwide, the immediate impact on users is moderated by the complexity and time required to perform the attack.
Also, websites that deny cross-origin iframe embedding cannot be used for leaking user data through this or similar side-channel attacks.
"Most sensitive websites already deny being embedded by cross-origin websites. As a result, they are not vulnerable to the pixel stealing attack we mounted using GPU.zip," explains the researchers in a FAQ on the team's website.
Finally, the researchers note that Firefox and Safari do not meet all the criteria needed for GPU.zip to work, such as allowing cross-origin iframes to be loaded with cookies, rendering SVG filters on iframes, and delegating rendering tasks to the GPU.
Update 9/28 - An Intel spokesperson has sent BleepingComputer the following comment regarding the GPU.zip risk and its impact on the firm's products:
More:
Modern GPUs vulnerable to new GPU.zip side-channel attack
Researchers from four American universities have developed a new GPU side-channel attack that leverages data compression to leak sensitive visual data from modern graphics cards when visiting web pages.
GPU.zip
www.hertzbleed.com
