Spectre and Meltdown have been the source of major headaches for the industry at large, and in particular Intel, which scurried to release firmware updates to mitigate the side-channel attacks. While now mostly in the rear view mirror, security researchers have discovered another side-channel vulnerability, which is detailed under CVE-2018-3693.
It is one of a dozen new CVEs published by Intel. Researchers Vladimir Kiriansky and Carl Waldspurger discovered the flaw (PDF) and are being rewarded $100,000 for their efforts, as part of Intel's bug bounty program.
"On January 3, 2018, a team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from many types of computing devices with many different vendors’ processors and operating systems. On Jul 10, 2018, additional research disclosed related variations of these methods...Intel would like to thank Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting and for working with the industry on coordinated disclosure," Intel stated in its disclosure.
The researchers actually discovered two minor variants that are similar to Spectre Variant 1, which they have dubbed Spectre 1.1 and Spectre 1.2. However, it's the bigger of the two, a "bounds check bypass store" (BCBS), that was the source of the hefty bug bounty. It essentially allows for malicious code already running on an Intel system to access passwords, encryption keys, and other sensitive information from data stored in memory that is typically inaccessible.
"The bounds check bypass method takes advantage of speculative execution after conditional branch instructions. A malicious actor discovers or causes the creation of 'confused deputy' code which allows the attacker to use speculative operations to infer information not normally accessible to the attacker," Intel explains in a white paper (PDF).
To deal with these new exploits and other similar ones that will inevitably arise, Intel is moving to a quarterly release cadence for its security updates rather than random releases for these types of mitigations. It's similar to Microsoft's monthly Patch Tuesday schedule, except Intel is targeting every three months instead of every month.
An Intel spokesperson provided us with the following statement:
"As we continue working with industry researchers, partners and academia to protect customers against evolving security threats, we are streamlining security updates and guidance for our industry partners and customers when possible. With this in mind, today we are providing mitigation details for a number of potential issues, including a new sub-variant of variant 1 called Bounds Check Bypass Store, for which mitigations or developer guidance have been released. More information can be found on our product security page. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel."