Items tagged with spectre
Flaws with speculative execution have been making the rounds in the past few years, with a more recent focus on the Spectre chip flaw and its potentially bypassable mitigations. Following these developments, Intel is now looking at its long-term strategy to protect against transient execution attack methods in the future. Transient execution vulnerabilities are “a class of vulnerabilities that can allow an attacker to infer information that would otherwise be prohibited by architectural access control schemes.” As Intel explains, an attack using these vulnerabilities would exploit mis-predicted transient instructions created and squashed by speculative execution. The data in these...
Read more...
At the start of May, researchers at the University of Virginia announced that current Spectre chip vulnerability mitigations could be bypassed entirely, bringing the ghostly security flaw back to life. Intel has now officially responded by claiming that software coded following its specific security guidance protects against these new vulnerabilities. However, UVA researchers seem to disagree with the general sentiment. The question now is, who is right and what needs to happen to protect end-users? Here's Intel's full statement on the matter... “Intel reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed...
Read more...
Back in 2018, a processor security vulnerability called Spectre appeared, affecting all modern CPU architectures from Intel, AMD, and even ARM in the last 20 years. Since then, major players and semiconductor OEMs have worked hard to patch out the vulnerabilities in a cybersecurity whack-a-mole game, in some cases leading to performance loss and other issues. Today, unfortunately, University of Virginia Researchers have now found a way to circumvent all of the original Spectre security mitigations, essentially resurrecting the ghostly security flaw that will now again haunt billions of PCs globally. Of the vulnerabilities that appeared in 2018, Spectre was the nastier of the two primary...
Read more...
Intel was raked over the coals three years ago when Spectre and Meltdown vulnerabilities were first discovered that could affect its consumer and enterprise processors. The company addressed the side-channel exploits with patches and subsequent hardware revisions, but AMD is now coming under the microscope for a side-channel attack that could affect processors based on its Zen 3 architecture. The attack is similar in scope to Spectre and involves a feature introduced with Zen 3 called Predictive Store Forwarding (PSF). PSF, in effect, guesses the result of a load and uses speculative execution with subsequent commands. "In typical code, PSF provides a performance benefit by speculating...
Read more...
You might not have even been aware of this, but last month's Patch Tuesday update for Windows contained a long overdue mitigation for a security flaw in Intel processors. Left upatched, the flaw essentially allows an attacker to bypass fixes that had previously been rolled out to deal with Spectre and Meltdown, the names given to serious side-channel vulnerabilities that were disclosed last year. Security researchers at Bitdefender discovered the flaw and reported it to Intel a year ago. Even though it affected every Intel processor dating back to Ivy Bridge (introduced in 2012), and potentially earlier ones as well, Intel shrugged it off, saying it already knew about the vulnerability and was...
Read more...
Just when we thought that the worst was over with respect to speculative execution hardware exploits like Spectre, we get hit with another whopper. Such is the case with a new Intel processor vulnerability dubbed Spoiler. Spoiler is similar in concept to Spectre, and was discovered by researchers at the Worcester Polytechnic Institute. But while Spoiler relies on speculative execution (i.e., a processor performing tasks that it “predicts” may be requested by the user in the future, and storing that data in memory), existing Spectre mitigation solutions are not applicable. This is not only bad news for Intel, but also customers that rely on Intel processor platforms...
Read more...
Where computing is concerned, security should always be a major focus. In 2018, that focus almost seemed overwhelming, thanks in part to the fact that the infamous Spectre and Meltdown security vulnerabilities impacted so many end users and industries. And let's not forget then-Intel CEO Brian Krzanich during his CES keynote, where he wasted no time at all in addressing the problem, along with the company's commitment to fix it for its processors. Over the course of the year, we were all left wondering if future patches would cripple system performance, but thankfully, the noticeable hits seem to be prevalent mostly in the enterprise. However, there is still some degradation for us regular...
Read more...
Standing out in a sea of excellent laptops is tough nowadays, especially with a metal chassis being the bare minimum point of entry to the premium class. Each company offers its own unique take – Microsoft has Alcantara keyboards, Dell offers super thin screen borders and carbon fiber, Lenovo has fancy hinges and OLED displays, Apple has its touch bar, while Asus and Acer offer value propositions. So what’s a laptop brand like HP to do when faced with tough competition and a virtual sea of options for consumers? Meet the HP Spectre Folio, the company’s latest ultra-portable 2-in-1 13-inch hybrid notebook that embraces a bit of what also makes things like luxury cars great...
Read more...
Ever since the Meltdown and Spectre were disclosed earlier this year, the issues surrounding the speculative execution exploits has been multi-pronged. On the one hand, there are concerns that nefarious parties taking advantage of the exploits to compromise unpatched systems. In addition, there have been concerns that the current patches to mitigate the attacks can reduce processing performance by up to 30 percent in some cases. Thankfully, Google engineers have developed a Spectre Variant 2 mitigation technique that results in a negligible impact in system performance. The mitigation strategy, which is called Retpoline, was initially detailed shortly after the details of Meltdown...
Read more...
Microsoft is pushing out new microcode updates for Intel processors affected by recently disclosed side channel exploits, including several Spectre variants and the newer Foreshadow flaw. The microcode updates apply to Windows 10 and Windows Server, and cover a range of Skylake, Kaby Lake, and Coffee Lake processors. "This update is a stand-alone update targeted for Windows 10 version 1803 (Windows 10 April 2018 Update) and Windows Server Version 1803 (Server Core). This update also includes Intel microcode updates that were already released for these operating systems at the time of release to manufacturing (RTM). We will offer additional microcode updates from Intel through this article for...
Read more...
If you thought Spectre and Meltdown were bad, there are new exploits that have the potential to seriously compromise modern Intel processors. The latest class of exploits are called Foreshadow, and were was disclosed today by Intel via a blog post. The exploit involves Intel's Software Guard Extensions, which is better known as SGX. SGX is supposed to serve as a secure enclave within memory on the processor to ward off malicious entities accessing private data. SGX has in the past been able to help mitigate Meltdown and Spectre attacks, but Foreshadow has the ability to access the SGX-protected L1 data cache. Intel describes the attack vector for Foreshadow, writing, "Accessing a logical...
Read more...
Security conscious computer users might wonder if we will ever fully put Spectre vulnerabilities behind us. Researchers were still discovering new vulnerabilities related to Spectre early this year. Intel is working to protect users from the vulnerability and only a few days ago it announced a patch for side-challenge exploits for some of it chips and awarded the researchers who found the bug $100,000 for their efforts. Google is also integrating security technology into its popular Chrome browser to protect against Spectre vulnerabilities. Those new security features come at a cost for Chrome users and that cost is increased memory consumption by the browser. Chrome will reportedly consume about...
Read more...
A newly discovered security vulnerability in modern Intel X86 processors has been revealed that affects the processor's speculative execution technology – like Spectre and Meltdown – and can be used to access sensitive information, including encryption related data. Over the last day or two, patches have quietly rolled out for some operation systems, but Red Hat just revealed all of the underlying details. The vulnerability, which is being called "Lazy FPU Save/Restore," was assigned a moderate rating and an ID of CVE-2018-3665 in the company's solutions database. As its name suggests, the exploit leverages the processor's FPU's (Floating Point Unit) "lazy state restore" feature...
Read more...
Computer users around the world are still reeling from the Spectre flaws that affected many modern ARM and x86-64 CPUs, and earlier this month we learned that there was another Spectre-style vulnerability that could affect processors from Intel, AMD and ARM. Intel and Microsoft have now stepped up and officially disclosed the latest vulnerability. Intel says that following the Google Project Zero (GPZ) disclosure of speculative execution-based side-channel analysis methods back in January that it has continued working with researchers around the world to figure out if similar methods could be used in other areas. Intel says that it expected side-channel exploits would follow a predictable...
Read more...
New Spectre flaws have been revealed by the former head of Intel's advanced thread team, Yuriy Bulygin. This is a man who knows what he's doing, so his opinions and findings are not to be treated as fly-by-night like some others. Through his new security agency, Eclypsium (a neat name, it must be said), Bulygin posts of a new application of speculative execution attacks which hinge on Spectre variant 1 (bounds check bypass), although it's believed that the same exploit would work with variant 2 (branch target injection), as well. Ultimately, Bulygin's exploit leverages the bounds check bypass element of Spectre's variant 1 to circumvent the system management range register (SMRR) protection of...
Read more...
Just when news of Spectre and Meltdown has seemingly died down, we're now hearing of a fresh round of exploits that might affect Intel processors. A total of 8 new vulnerabilities have been discovered and are being dubbed Spectre Next Generation, or Spectre-NG for short. Each of the eight vulnerabilities have been assigned their own Common Vulnerability Enumerator (CVE) designation, and each will need to be patched separately according to German publication c't. Intel, which has been notified of Spectre-NG, acknowledges that four of the new exploits are considered "high risk", while the other four are "medium risk". At least one of the vulnerabilities is reportedly even more...
Read more...
In mid-March, Intel announced that it had made tremendous progress in releasing microcode updates to address the Meltdown and Spectre vulnerabilities in its processors. At the time, Intel said that its microcode updates had been distributed for all of its processors released in the past five years. While Intel's progress in making sure that its processors are hardened against exotic side-channel attacks, the company doesn't have unlimited resources -- especially when it comes to supporting processors that were first released many years ago. To that end, Intel has provided a new status update on its progress for distributing Meltdown-Spectre microcode updates. Just a small sample of the processors...
Read more...
When word finally spread about Spectre and Meltdown, it seemed only a matter of time before attackers would try to leverage the side-channel vulnerabilities. That is not the only concern, however. A team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamtom University say they have discovered a new side-channel attack that affects Intel processors, and that patches released for Spectre and Meltdown might prove ineffective against the exploit. Researchers are calling the newly discovered vulnerability "BranchScope." While not the same as Spectre or Meltdown, it works similarly to expose potentially sensitive...
Read more...
It appears that the Spectre-Meltdown nightmare for Intel and its customers is finally nearing resolution. The chip giant has been working overtime to develop and distribute microcode updates for its processors to combat these vulnerabilities, and this morning announced that 100 percent of its processors released in the past five years have microcode updates to protect "against the side-channel method vulnerabilities." In addition, Intel says that it is taking proactive steps to ensure that all three primary vulnerabilities, which are listed below, are addressed in the future: Variant 1 (Spectre): CVE-2017-5753 (Bound Check Bypass) Variant 2 (Spectre): CVE-2017-5715 (Branch Target Injection) Variant...
Read more...
Today is Patch Tuesday, which means that Microsoft is pushing out a slew updates for its wide portfolio of software products. First and foremost, the company is issuing another round of updates to address the Spectre and Meltdown processor vulnerabilities that rocked the computing world back at the start of 2018. Microsoft announced that it will be expanding its Meltdown mitigation solutions to x86 version of both the legacy Windows 7 and Windows 8.1 operating systems. With this latest round of updates, all of Microsoft's [currently supported] operating systems are hardened against any known Meltdown threats. In addition, Microsoft has expanded its catalog of Intel-validated microcode updates...
Read more...
Attempts to mitigate CPU flaws affecting practically every processor released in the past two decades has not been easy. There is no 'one-size-fits-all' solution to this mess, and some of early attempts to patch CPUs against Spectre and Meltdown only caused more problems, like random reboots. Well, good news if you an own an older processor—Intel has released another batch of stable microcode updates, this time for Haswell and Broadwell CPUs. The new microcode updates replace some of the ones Intel briefly doled out in January. Intel ended up pulling those initial patches after customers complained of random reboot issues. To Intel's credit, the company responded quickly and identified...
Read more...
Just when you thought the whole Spectre and Meltdown situation could not get any messier, a new report suggests Intel withheld information about the security flaws to US cyber officials, even though it gave some of its hardware partners a heads up before the situation became public knowledge. Intel defends its position, saying it had no knowledge that the vulnerabilities had been exploited. The report essentially echoes an earlier one in which The Wall Street Journal said Intel shared information about Spectre and Meltdown to Chinese firms before the US government. At the time, Jake Williams, head of Rendition Infosec and former NSA employee said it was "near certainty" that the Chinese government...
Read more...
