Spectre reloaded: New Intel ‘Foreshadow’ vulnerabilities open the door to hackers
Intel Corp. today revealed details on three new vulnerabilities in its chips that are somewhat like Spectre, the set of security holes revealed early this year in most computer chips manufactured in the last 20 years.
The new vulnerabilities, formally called L1 Terminal Fault but known as Foreshadow, targets speculative execution. As the name somewhat suggests, the feature involves the chip predicting possible outcomes to code it is in the process of executing.
But in a new twist, Foreshadow does its thing via the Software Guard Extensions in Intel chips. The problem affects select microprocessor products supporting Intel SGX and comes in three different forms afflicting different kinds of processing. The vulnerability involves hackers potentially targeting that speculative data because of an issue in SGX that’s meant to protect access to that data but doesn’t do so all the time.
Explaining the vulnerabilities and why they matter, Tod Beardsley, research director at Rapid7 Inc., told SiliconANGLE that Foreshadow should be of particular interest to enterprises running virtual computers in shared hosting environments.
“Customers of this kind of cloud computing service should keep an eye out for communications from their hosting providers, which will tell them if they need to do anything special with their guest operating system,” Beardsley said. “In many cases, hosting providers already provide a reasonable mitigation by ensuring that virtual machines run by different customers are isolated from each other, and don’t intermingle different processes on the same CPU core.”
Although virtual machine users likely need to update their own guest operating systems, he said they should be rolling out security patches routinely anyway. “If you’re a VM customer and haven’t yet heard anything from your provider, a call to their tech support is in order to make sure they’re aware of the issue, since the host operating systems need to be updated as well,” he advised.
Intel had already started distributing fixes and is working with developers such as Microsoft Corp. to issue patches today. Cloud providers such as Google LLC, Amazon Web Services Inc. and Microsoft also said they’ve deployed mitigations to their infrastructure.
In any case, home users have little to be concerned about. “These speculative execution bugs are pretty exotic, and unlikely to be used against individual end users anytime soon,” Beardsley said. “Cryptojacking and ransom-based malware are still pretty effective mechanisms that criminals employ to extract money out of victims, so they don’t need to go to the trouble of setting up and executing a complicated attack using Foreshadow.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.