Items tagged with spectre
You might not have even been aware of this, but last month's Patch Tuesday update for Windows contained a long overdue mitigation for a security flaw in Intel processors. Left upatched, the flaw essentially allows an attacker to bypass fixes that had previously been rolled out to deal with Spectre and Meltdown, the names given to serious side-channel vulnerabilities that were disclosed last year. Security researchers at Bitdefender discovered the flaw and reported it to Intel a year ago. Even though it affected every Intel processor dating back to Ivy Bridge (introduced in 2012), and potentially earlier ones as well, Intel shrugged it off, saying it already knew about the vulnerability and was...
Read more...
Just when we thought that the worst was over with respect to speculative execution hardware exploits like Spectre, we get hit with another whopper. Such is the case with a new Intel processor vulnerability dubbed Spoiler. Spoiler is similar in concept to Spectre, and was discovered by researchers at the Worcester Polytechnic Institute. But while Spoiler relies on speculative execution (i.e., a processor performing tasks that it “predicts” may be requested by the user in the future, and storing that data in memory), existing Spectre mitigation solutions are not applicable. This is not only bad news for Intel, but also customers that rely on Intel processor platforms...
Read more...
Where computing is concerned, security should always be a major focus. In 2018, that focus almost seemed overwhelming, thanks in part to the fact that the infamous Spectre and Meltdown security vulnerabilities impacted so many end users and industries. And let's not forget then-Intel CEO Brian Krzanich during his CES keynote, where he wasted no time at all in addressing the problem, along with the company's commitment to fix it for its processors. Over the course of the year, we were all left wondering if future patches would cripple system performance, but thankfully, the noticeable hits seem to be prevalent mostly in the enterprise. However, there is still some degradation for us regular...
Read more...
Standing out in a sea of excellent laptops is tough nowadays, especially with a metal chassis being the bare minimum point of entry to the premium class. Each company offers its own unique take – Microsoft has Alcantara keyboards, Dell offers super thin screen borders and carbon fiber, Lenovo has fancy hinges and OLED displays, Apple has its touch bar, while Asus and Acer offer value propositions. So what’s a laptop brand like HP to do when faced with tough competition and a virtual sea of options for consumers? Meet the HP Spectre Folio, the company’s latest ultra-portable 2-in-1 13-inch hybrid notebook that embraces a bit of what also makes things like luxury cars great...
Read more...
Ever since the Meltdown and Spectre were disclosed earlier this year, the issues surrounding the speculative execution exploits has been multi-pronged. On the one hand, there are concerns that nefarious parties taking advantage of the exploits to compromise unpatched systems. In addition, there have been concerns that the current patches to mitigate the attacks can reduce processing performance by up to 30 percent in some cases. Thankfully, Google engineers have developed a Spectre Variant 2 mitigation technique that results in a negligible impact in system performance. The mitigation strategy, which is called Retpoline, was initially detailed shortly after the details of Meltdown...
Read more...
Microsoft is pushing out new microcode updates for Intel processors affected by recently disclosed side channel exploits, including several Spectre variants and the newer Foreshadow flaw. The microcode updates apply to Windows 10 and Windows Server, and cover a range of Skylake, Kaby Lake, and Coffee Lake processors. "This update is a stand-alone update targeted for Windows 10 version 1803 (Windows 10 April 2018 Update) and Windows Server Version 1803 (Server Core). This update also includes Intel microcode updates that were already released for these operating systems at the time of release to manufacturing (RTM). We will offer additional microcode updates from Intel through this article for...
Read more...
If you thought Spectre and Meltdown were bad, there are new exploits that have the potential to seriously compromise modern Intel processors. The latest class of exploits are called Foreshadow, and were was disclosed today by Intel via a blog post. The exploit involves Intel's Software Guard Extensions, which is better known as SGX. SGX is supposed to serve as a secure enclave within memory on the processor to ward off malicious entities accessing private data. SGX has in the past been able to help mitigate Meltdown and Spectre attacks, but Foreshadow has the ability to access the SGX-protected L1 data cache. Intel describes the attack vector for Foreshadow, writing, "Accessing a logical...
Read more...
Security conscious computer users might wonder if we will ever fully put Spectre vulnerabilities behind us. Researchers were still discovering new vulnerabilities related to Spectre early this year. Intel is working to protect users from the vulnerability and only a few days ago it announced a patch for side-challenge exploits for some of it chips and awarded the researchers who found the bug $100,000 for their efforts. Google is also integrating security technology into its popular Chrome browser to protect against Spectre vulnerabilities. Those new security features come at a cost for Chrome users and that cost is increased memory consumption by the browser. Chrome will reportedly consume about...
Read more...
A newly discovered security vulnerability in modern Intel X86 processors has been revealed that affects the processor's speculative execution technology – like Spectre and Meltdown – and can be used to access sensitive information, including encryption related data. Over the last day or two, patches have quietly rolled out for some operation systems, but Red Hat just revealed all of the underlying details. The vulnerability, which is being called "Lazy FPU Save/Restore," was assigned a moderate rating and an ID of CVE-2018-3665 in the company's solutions database. As its name suggests, the exploit leverages the processor's FPU's (Floating Point Unit) "lazy state restore" feature...
Read more...
Computer users around the world are still reeling from the Spectre flaws that affected many modern ARM and x86-64 CPUs, and earlier this month we learned that there was another Spectre-style vulnerability that could affect processors from Intel, AMD and ARM. Intel and Microsoft have now stepped up and officially disclosed the latest vulnerability. Intel says that following the Google Project Zero (GPZ) disclosure of speculative execution-based side-channel analysis methods back in January that it has continued working with researchers around the world to figure out if similar methods could be used in other areas. Intel says that it expected side-channel exploits would follow a predictable...
Read more...
New Spectre flaws have been revealed by the former head of Intel's advanced thread team, Yuriy Bulygin. This is a man who knows what he's doing, so his opinions and findings are not to be treated as fly-by-night like some others. Through his new security agency, Eclypsium (a neat name, it must be said), Bulygin posts of a new application of speculative execution attacks which hinge on Spectre variant 1 (bounds check bypass), although it's believed that the same exploit would work with variant 2 (branch target injection), as well. Ultimately, Bulygin's exploit leverages the bounds check bypass element of Spectre's variant 1 to circumvent the system management range register (SMRR) protection of...
Read more...
Just when news of Spectre and Meltdown has seemingly died down, we're now hearing of a fresh round of exploits that might affect Intel processors. A total of 8 new vulnerabilities have been discovered and are being dubbed Spectre Next Generation, or Spectre-NG for short. Each of the eight vulnerabilities have been assigned their own Common Vulnerability Enumerator (CVE) designation, and each will need to be patched separately according to German publication c't. Intel, which has been notified of Spectre-NG, acknowledges that four of the new exploits are considered "high risk", while the other four are "medium risk". At least one of the vulnerabilities is reportedly even more...
Read more...
In mid-March, Intel announced that it had made tremendous progress in releasing microcode updates to address the Meltdown and Spectre vulnerabilities in its processors. At the time, Intel said that its microcode updates had been distributed for all of its processors released in the past five years. While Intel's progress in making sure that its processors are hardened against exotic side-channel attacks, the company doesn't have unlimited resources -- especially when it comes to supporting processors that were first released many years ago. To that end, Intel has provided a new status update on its progress for distributing Meltdown-Spectre microcode updates. Just a small sample of the processors...
Read more...
When word finally spread about Spectre and Meltdown, it seemed only a matter of time before attackers would try to leverage the side-channel vulnerabilities. That is not the only concern, however. A team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamtom University say they have discovered a new side-channel attack that affects Intel processors, and that patches released for Spectre and Meltdown might prove ineffective against the exploit. Researchers are calling the newly discovered vulnerability "BranchScope." While not the same as Spectre or Meltdown, it works similarly to expose potentially sensitive...
Read more...
It appears that the Spectre-Meltdown nightmare for Intel and its customers is finally nearing resolution. The chip giant has been working overtime to develop and distribute microcode updates for its processors to combat these vulnerabilities, and this morning announced that 100 percent of its processors released in the past five years have microcode updates to protect "against the side-channel method vulnerabilities." In addition, Intel says that it is taking proactive steps to ensure that all three primary vulnerabilities, which are listed below, are addressed in the future: Variant 1 (Spectre): CVE-2017-5753 (Bound Check Bypass) Variant 2 (Spectre): CVE-2017-5715 (Branch Target Injection) Variant...
Read more...
Today is Patch Tuesday, which means that Microsoft is pushing out a slew updates for its wide portfolio of software products. First and foremost, the company is issuing another round of updates to address the Spectre and Meltdown processor vulnerabilities that rocked the computing world back at the start of 2018. Microsoft announced that it will be expanding its Meltdown mitigation solutions to x86 version of both the legacy Windows 7 and Windows 8.1 operating systems. With this latest round of updates, all of Microsoft's [currently supported] operating systems are hardened against any known Meltdown threats. In addition, Microsoft has expanded its catalog of Intel-validated microcode updates...
Read more...
Attempts to mitigate CPU flaws affecting practically every processor released in the past two decades has not been easy. There is no 'one-size-fits-all' solution to this mess, and some of early attempts to patch CPUs against Spectre and Meltdown only caused more problems, like random reboots. Well, good news if you an own an older processor—Intel has released another batch of stable microcode updates, this time for Haswell and Broadwell CPUs. The new microcode updates replace some of the ones Intel briefly doled out in January. Intel ended up pulling those initial patches after customers complained of random reboot issues. To Intel's credit, the company responded quickly and identified...
Read more...
Just when you thought the whole Spectre and Meltdown situation could not get any messier, a new report suggests Intel withheld information about the security flaws to US cyber officials, even though it gave some of its hardware partners a heads up before the situation became public knowledge. Intel defends its position, saying it had no knowledge that the vulnerabilities had been exploited. The report essentially echoes an earlier one in which The Wall Street Journal said Intel shared information about Spectre and Meltdown to Chinese firms before the US government. At the time, Jake Williams, head of Rendition Infosec and former NSA employee said it was "near certainty" that the Chinese government...
Read more...
Nobody is happy with the situation surrounding recently disclosed CPU vulnerabilities collectively known as Spectre and Metldown (there are two variants of the former and one of the latter). The anger on the part of consumers has erupted into a series of lawsuits, including at least 32 class-action suits filed against Intel and another four that have been hurled at AMD, with potentially more to come. AMD has perhaps been less of a target because it is not really affected by Meltdown, only Spectre. Be that as it may, AMD has not been immune to legal scrutiny, with four separate class-action lawsuits alleging a series of violations—everything from securities fraud and breach of warranty,...
Read more...
In this episode of HotHardware's Two And A Half Geeks, Marco, Paul and Dave chat about our Top Mechanical Keyboard Roundup, Second Gen Ryzen benchmark leaks, a bevy of Corsair AIO liquid coolers chilling an overclocked Ryzen processor, the latest security issues and updates for Spectre and Meltdown, recent browser exploits, as a pissed-off robot dog! Show Notes: 02:34 - 5-Way Mechanical Keyboard Roundup: Top Decks For Gamers And Enthusiasts 18:04 - AMD Ryzen 5 2600 Pinnacle Ridge Processor Single And Multi-Core Benchmarks Leak 27:21 - AMD Launches Embedded Epyc 3000 And Ryzen V1000 Series Processors To Amplify Zen's Market Reach 34:03 - Corsair AIO Liquid Cooler Round-Up: Ryzen...
Read more...
Intel continues to plug along with microcode updates for its vast stable of processors. Two weeks ago, the company released revised microcode updates with Spectre mitigations that were limited to mainstream Skylake mobile and desktop platforms. This week, the company has expanded the microcode updates to cover Skylake-X and Skylake-SP processors architectures including Core-X, Xeon Scalable and Xeon D. In addition, the new microcode release covers Kaby Lake and Coffee Lake processors that were previously left out. Intel was forced to pull its original microcode updates after it was found that some systems were randomly rebooting. That is definitely not something that consumers will tolerate and...
Read more...
Recently discovered vulnerabilities present in practically every processor manufactured in the past two decades have caused quite the headache, for both companies like Intel and AMD, and end users who have to balance software patches with performance penalties. Just when we thought we could exhale (even if just a little bit), security researchers from Princeton University and NVIDIA have found new ways of exploiting Meltdown and Spectre, and upcoming hardware changes might prove futile to these new methods. The researchers outlined their findings in a paper (PDF) titled "MeldownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols." That's...
Read more...
