Items tagged with spectre
You might not have even been aware of this, but last month's Patch Tuesday update for Windows contained a long overdue mitigation for a security flaw in Intel processors. Left upatched, the flaw essentially allows an attacker to bypass fixes that had previously been rolled out to deal with Spectre and Meltdown, the names given to serious side-channel vulnerabilities that were disclosed last year. Security researchers at Bitdefender discovered the flaw and reported it to Intel a year ago. Even though it affected every Intel processor dating back to Ivy Bridge (introduced in 2012), and potentially earlier ones as well, Intel shrugged it off, saying it already knew about the vulnerability and was...
Read more...
Just when we thought that the worst was over with respect to speculative execution hardware exploits like Spectre, we get hit with another whopper. Such is the case with a new Intel processor vulnerability dubbed Spoiler. Spoiler is similar in concept to Spectre, and was discovered by researchers at the Worcester Polytechnic Institute. But while Spoiler relies on speculative execution (i.e., a processor performing tasks that it “predicts” may be requested by the user in the future, and storing that data in memory), existing Spectre mitigation solutions are not applicable. This is not only bad news for Intel, but also customers that rely on Intel processor platforms...
Read more...
Where computing is concerned, security should always be a major focus. In 2018, that focus almost seemed overwhelming, thanks in part to the fact that the infamous Spectre and Meltdown security vulnerabilities impacted so many end users and industries. And let's not forget then-Intel CEO Brian Krzanich during his CES keynote, where he wasted no time at all in addressing the problem, along with the company's commitment to fix it for its processors. Over the course of the year, we were all left wondering if future patches would cripple system performance, but thankfully, the noticeable hits seem to be prevalent mostly in the enterprise. However, there is still some degradation for us regular...
Read more...
Standing out in a sea of excellent laptops is tough nowadays, especially with a metal chassis being the bare minimum point of entry to the premium class. Each company offers its own unique take – Microsoft has Alcantara keyboards, Dell offers super thin screen borders and carbon fiber, Lenovo has fancy hinges and OLED displays, Apple has its touch bar, while Asus and Acer offer value propositions. So what’s a laptop brand like HP to do when faced with tough competition and a virtual sea of options for consumers? Meet the HP Spectre Folio, the company’s latest ultra-portable 2-in-1 13-inch hybrid notebook that embraces a bit of what also makes things like luxury cars great...
Read more...
Ever since the Meltdown and Spectre were disclosed earlier this year, the issues surrounding the speculative execution exploits has been multi-pronged. On the one hand, there are concerns that nefarious parties taking advantage of the exploits to compromise unpatched systems. In addition, there have been concerns that the current patches to mitigate the attacks can reduce processing performance by up to 30 percent in some cases. Thankfully, Google engineers have developed a Spectre Variant 2 mitigation technique that results in a negligible impact in system performance. The mitigation strategy, which is called Retpoline, was initially detailed shortly after the details of Meltdown...
Read more...
Microsoft is pushing out new microcode updates for Intel processors affected by recently disclosed side channel exploits, including several Spectre variants and the newer Foreshadow flaw. The microcode updates apply to Windows 10 and Windows Server, and cover a range of Skylake, Kaby Lake, and Coffee Lake processors. "This update is a stand-alone update targeted for Windows 10 version 1803 (Windows 10 April 2018 Update) and Windows Server Version 1803 (Server Core). This update also includes Intel microcode updates that were already released for these operating systems at the time of release to manufacturing (RTM). We will offer additional microcode updates from Intel through this article for...
Read more...
If you thought Spectre and Meltdown were bad, there are new exploits that have the potential to seriously compromise modern Intel processors. The latest class of exploits are called Foreshadow, and were was disclosed today by Intel via a blog post. The exploit involves Intel's Software Guard Extensions, which is better known as SGX. SGX is supposed to serve as a secure enclave within memory on the processor to ward off malicious entities accessing private data. SGX has in the past been able to help mitigate Meltdown and Spectre attacks, but Foreshadow has the ability to access the SGX-protected L1 data cache. Intel describes the attack vector for Foreshadow, writing, "Accessing a logical...
Read more...
Security conscious computer users might wonder if we will ever fully put Spectre vulnerabilities behind us. Researchers were still discovering new vulnerabilities related to Spectre early this year. Intel is working to protect users from the vulnerability and only a few days ago it announced a patch for side-challenge exploits for some of it chips and awarded the researchers who found the bug $100,000 for their efforts. Google is also integrating security technology into its popular Chrome browser to protect against Spectre vulnerabilities. Those new security features come at a cost for Chrome users and that cost is increased memory consumption by the browser. Chrome will reportedly consume about...
Read more...
A newly discovered security vulnerability in modern Intel X86 processors has been revealed that affects the processor's speculative execution technology – like Spectre and Meltdown – and can be used to access sensitive information, including encryption related data. Over the last day or two, patches have quietly rolled out for some operation systems, but Red Hat just revealed all of the underlying details. The vulnerability, which is being called "Lazy FPU Save/Restore," was assigned a moderate rating and an ID of CVE-2018-3665 in the company's solutions database. As its name suggests, the exploit leverages the processor's FPU's (Floating Point Unit) "lazy state restore" feature...
Read more...
Computer users around the world are still reeling from the Spectre flaws that affected many modern ARM and x86-64 CPUs, and earlier this month we learned that there was another Spectre-style vulnerability that could affect processors from Intel, AMD and ARM. Intel and Microsoft have now stepped up and officially disclosed the latest vulnerability. Intel says that following the Google Project Zero (GPZ) disclosure of speculative execution-based side-channel analysis methods back in January that it has continued working with researchers around the world to figure out if similar methods could be used in other areas. Intel says that it expected side-channel exploits would follow a predictable...
Read more...
New Spectre flaws have been revealed by the former head of Intel's advanced thread team, Yuriy Bulygin. This is a man who knows what he's doing, so his opinions and findings are not to be treated as fly-by-night like some others. Through his new security agency, Eclypsium (a neat name, it must be said), Bulygin posts of a new application of speculative execution attacks which hinge on Spectre variant 1 (bounds check bypass), although it's believed that the same exploit would work with variant 2 (branch target injection), as well. Ultimately, Bulygin's exploit leverages the bounds check bypass element of Spectre's variant 1 to circumvent the system management range register (SMRR) protection of...
Read more...
Just when news of Spectre and Meltdown has seemingly died down, we're now hearing of a fresh round of exploits that might affect Intel processors. A total of 8 new vulnerabilities have been discovered and are being dubbed Spectre Next Generation, or Spectre-NG for short. Each of the eight vulnerabilities have been assigned their own Common Vulnerability Enumerator (CVE) designation, and each will need to be patched separately according to German publication c't. Intel, which has been notified of Spectre-NG, acknowledges that four of the new exploits are considered "high risk", while the other four are "medium risk". At least one of the vulnerabilities is reportedly even more...
Read more...
In mid-March, Intel announced that it had made tremendous progress in releasing microcode updates to address the Meltdown and Spectre vulnerabilities in its processors. At the time, Intel said that its microcode updates had been distributed for all of its processors released in the past five years. While Intel's progress in making sure that its processors are hardened against exotic side-channel attacks, the company doesn't have unlimited resources -- especially when it comes to supporting processors that were first released many years ago. To that end, Intel has provided a new status update on its progress for distributing Meltdown-Spectre microcode updates. Just a small sample of the processors...
Read more...
When word finally spread about Spectre and Meltdown, it seemed only a matter of time before attackers would try to leverage the side-channel vulnerabilities. That is not the only concern, however. A team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamtom University say they have discovered a new side-channel attack that affects Intel processors, and that patches released for Spectre and Meltdown might prove ineffective against the exploit. Researchers are calling the newly discovered vulnerability "BranchScope." While not the same as Spectre or Meltdown, it works similarly to expose potentially sensitive...
Read more...
