Spectre reloaded: New Intel ‘Foreshadow’ vulnerabilities open the door to hackers
Intel Corp. today revealed details on three new vulnerabilities in its chips that are somewhat like Spectre, the set of security holes revealed early this year in most computer chips manufactured in the last 20 years.
The new vulnerabilities, formally called L1 Terminal Fault but known as Foreshadow, targets speculative execution. As the name somewhat suggests, the feature involves the chip predicting possible outcomes to code it is in the process of executing.
But in a new twist, Foreshadow does its thing via the Software Guard Extensions in Intel chips. The problem affects select microprocessor products supporting Intel SGX and comes in three different forms afflicting different kinds of processing. The vulnerability involves hackers potentially targeting that speculative data because of an issue in SGX that’s meant to protect access to that data but doesn’t do so all the time.
Explaining the vulnerabilities and why they matter, Tod Beardsley, research director at Rapid7 Inc., told SiliconANGLE that Foreshadow should be of particular interest to enterprises running virtual computers in shared hosting environments.
“Customers of this kind of cloud computing service should keep an eye out for communications from their hosting providers, which will tell them if they need to do anything special with their guest operating system,” Beardsley said. “In many cases, hosting providers already provide a reasonable mitigation by ensuring that virtual machines run by different customers are isolated from each other, and don’t intermingle different processes on the same CPU core.”
Although virtual machine users likely need to update their own guest operating systems, he said they should be rolling out security patches routinely anyway. “If you’re a VM customer and haven’t yet heard anything from your provider, a call to their tech support is in order to make sure they’re aware of the issue, since the host operating systems need to be updated as well,” he advised.
Intel had already started distributing fixes and is working with developers such as Microsoft Corp. to issue patches today. Cloud providers such as Google LLC, Amazon Web Services Inc. and Microsoft also said they’ve deployed mitigations to their infrastructure.
In any case, home users have little to be concerned about. “These speculative execution bugs are pretty exotic, and unlikely to be used against individual end users anytime soon,” Beardsley said. “Cryptojacking and ransom-based malware are still pretty effective mechanisms that criminals employ to extract money out of victims, so they don’t need to go to the trouble of setting up and executing a complicated attack using Foreshadow.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.