Even security products have security flaws, and chip researchers just found a big one in Intel’s chips that can be exploited using a similar technique as the major Spectre and Meltdown flaws disclosed earlier this year.
Wired reported Tuesday that several security researchers plan to present a paper tomorrow at the Usenix conference outlining the flaw they call “Foreshadow,” which they disclosed to Intel shortly after the Spectre and Meltdown flaws surfaced in January. Intel has been working on fixes for the flaws in conjunction with the researchers, operating system developers, and cloud computing companies, and is in the process of rolling out updates that mitigate the problems, it said in a blog post.
Like Spectre and Meltdown, Foreshadow takes advantage of a technique used to improved performance in modern processors called “speculative execution,” in which the chip picks several different possible outcomes to code it is currently executing, discarding the un-needed code once it figures out the correct path. This one is a little different, and a little scarier, because it targets Intel’s Secure Guard Extensions security technology, which creates a secure area on the chip that isn’t supposed to be accessible by the operating system.
Foreshadow proves that a determined attacker can get into that secure area, and the attack can be launched through malware disguised as a regular application. Those of you who want to know all the details can watch this video from Intel:
If you’re a PC user, you’re almost certainly fine if you apply all the regular updates (the single most important thing you can do to protect your computers, by the way), which are in the process of rolling out. But this flaw again presents problems for cloud companies offering virtualized hardware to their customers, or data center customers running virtualization software on their own servers.
Foreshadow could potentially break down the walls separating applications running in virtual machines on the same server, which left unattended could be a huge problem for cloud computing. Of course, it’s not being left unattended; Intel said it has been working with its partners on a fix that could hamper performance — just like the fixes for Spectre and Meltdown did — but that would only be applied in situations where it was needed, as opposed to constantly running.
We’ll see how this plays out, but it sounds like we won’t be totally free of these types of security flaws until Intel updates its chip hardware and companies start cycling out their old servers.