Posted on 08/21/2018 4:23:31 AM PDT by jurroppi1
Intel has been scarred by another major security glitch that takes advantage of the same technology behind the Meltdown and Spectre vulnerabilities. The new set of vulnerabilities, labeled Foreshadow, allows passwords and other confidential information to be swiped from memory caches in Intel’s processors.
On Tuesday, the Santa Clara, California-based company said it had released microcode to protect potentially vulnerable devices in personal computers and data centers. The company said that the changes, coupled with new updates for operating systems and hypervisor software made available on Tuesday, would protect most customers.
“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” said Leslie Culbertson, Intel’s head of product security, in a statement. “This includes keeping systems up-to-date and taking steps to prevent malware.”
Foreshadow, like Meltdown and
Spectre, is possible because of speculative execution, which is used in high-performance chips to boost software speeds. It involves loading computing instructions ahead of knowing whether they are required. The hardware cheats, snooping into the small pool of memory within each processor and making guesses on what happens next. The new vulnerability targets the L1 cache inside Intel processors.
Guessing correctly means a running start for the processor, while guessing incorrectly leads to the information being thrown out. With Foreshadow, code trespassing inside the processor can fool the operating system into loading passwords, encryption keys and other secrets stashed in memory before the cache is emptied. Then the software can steal them.
“Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low,” said Culbertson, adding that the software lessens the threat to the majority of servers installed in data centers and most personal computers. “In these cases, we haven’t seen any meaningful performance impact,” she said.
Intel said that customers should take additional precautions against another version of the vulnerability that could bypass the protections in servers running applications on virtual machines in the cloud. That includes turning down multithreading in some cases, which could put the squeeze on performance. "For these specific cases, performance or resource utilization on some specific workloads may be affected and varies accordingly," said Culbertson.
The threat adds to Intel’s challenge of rebuilding goodwill with customers in the aftermath of the Meltdown and Spectre vulnerabilities, which stunned the semiconductor industry and touched many of the world’s computer chips. The company, which is currently trying to replace former chief executive Brian Krzanich, has faced harsh criticism for mishandling the release of software patches that reduced performance as an aftereffect.
Culbertson said that Intel’s next generation of server chips, Cascade Lake, to be released before the end of the year, were overhauled to protect against Meltdown, Spectre and Foreshadow. The company said that the changes would limit the performance losses. That could also get customers to start paying for new hardware, which would boost revenue ahead of Advanced Micro Devices putting out rival products for data centers.
Hacking at the break of noon
Foreshadows Intel’s sun and moon
To understand you know too soon
There’s no sense in tryin’.
But the rules of the net have been lodged
It’ only hacker’s games
That you got to dodge
And it’s alright Ma
It’s Intel bleedin’.
Like last time this is mainly a cloud problem. Those of us with cheap virtual servers are finding out some of the drawbacks, although not me personally, not yet. Meanwhile people running home computers have to remember that all of these exploits require rogue code running on your PC. It's not clear whether than can just be javascript in your browser (I would never run flash, silverlight or any similar crap ever). The remote code needs to run precise timing tests numerous times in order to eavesdrop on protected code and data.
An average joe practicing safe computing (don't allow rogue software) should be fine. Rogue software would be problematic or fatal even without these new bugs.
There are specific issues with cloud based machines, but it affects all systems just like spectre. There are a few vectors, some are not cloud specific.
If some of these haxor doods started disappearing in small clouds of energetic dust, and the platform/application providers were required (under penalty of lost revenue) to provide better more secure code, maybe these things would happen less often.
Just sayin’
KYPD
In contrast, the code running on virtual servers in the cloud has a lot more power and flexibility to carry off one of these attacks.
“Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low,”
Low, but not completely mitigated even after installing a patch.
Drive-by downloads occur and originate even from legitimate sites sometimes (usually through seemingly innocuous ad script).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.