‘Kernel memory leaking’ Intel processor design flaw


A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.


  1. Tomi Engdahl says:

    Lucian Armasu / Tom’s Hardware:
    Intel revises roadmap for Spectre patches, now does not plan to patch some older chips including Yorkfield (2007), Bloomfield (2008), Intel Atom “SoFIA” (2015) — Updated, 4/4/2018, 7:00am PT: Added Intel’s statement. — Intel hinted in a previous microcode update guidance …

    Intel Will No Longer Issue Spectre Patch For Some Older Chips (Updated)

    Old Chips Forgotten

    Intel announced that Penryn (launched in 2007), Yorkfield (2007), Wolfdale (2007), Bloomfield (2008), Clarksfield (2009), Nehalem-based Jasper Forest (2010), and Intel Atom “SoFIA” (2015) will no longer receive the Spectre patches, as originally promised.

    But What’s The Real Reason?

    It’s no secret that patching Spectre variant 2 wasn’t easy, as we’ve seen both Intel and Microsoft first bungle and then disable patches for this flaw. However, the real reason Intel gave up on patching these systems seems to be that neither motherboard makers nor Microsoft may be willing to update systems sold a decade ago. That’s likely what Intel means by “limited commercially available system software support.”

    Even though Intel develops the microcode update for its own processors, the update can be delivered only through a BIOS or OS update. If neither motherboard manufacturers nor Microsoft are willing to deliver the patches, then there’s not much point for Intel to develop them.

  2. Tomi Engdahl says:

    AMD, Microsoft Release Spectre Patches

    AMD and Microsoft on Tuesday released microcode and operating system updates that should protect users against Spectre attacks.

    When the existence of the Spectre and Meltdown vulnerabilities was brought to light, AMD downplayed their impact on its processors, but the company did promise to release microcode updates and add protections against these types of attacks to its future CPUs.

    Meltdown attacks rely on a vulnerability identified as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). In the case of AMD, the company’s processors are not affected by Meltdown thanks to their design, and Spectre Variant 1 can be addressed with software patches – just like in the case of Intel processors.

    Mitigating Spectre Variant 2 attacks requires a combination of microcode and operating system updates, which AMD and Microsoft released on Tuesday.

    “While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” said Mark Papermaster, senior vice president and chief technology officer at AMD.

    Windows 10 updates released by Microsoft on Tuesday include Spectre Variant 2 mitigations for AMD devices. The patches are also expected to become available for Windows Server 2016 after they are validated and tested.

    Microsoft started releasing Spectre patches for devices with AMD processors shortly after the CPU vulnerabilities were disclosed in early January. However, the company was forced to temporarily suspend the updates due to instability issues.

  3. Tomi Engdahl says:

    Detecting Spectre vulnerability exploits with static analysis

    In the last few months, Spectre (CVE-2017-5753 and CVE-2017-5715) has emerged as a new kind of vulnerability. In the interest of helping the development community actively defend against these exploits, the Synopsys Software Integrity Group is releasing a checker that can identify code patterns that are vulnerable to the Spectre attack. We examined what kinds of code Spectre can exploit and how static analysis can help detect them. In this article, we’ll discuss some real-world examples we found and share techniques for mitigating the effects of Spectre.

    First, let’s take a brief look at a couple of concepts necessary to understand the Spectre vulnerability. Readers familiar with the details of the Spectre vulnerability (branch prediction, speculative execution, and cache timing attacks) can skip to the “Using static analysis” section

  4. Tomi Engdahl says:

    Microsoft Releases More Microcode Patches for Spectre Flaw

    Microsoft this week released another round of software and microcode updates designed to address the CPU vulnerability known as Spectre Variant 2.

    Microsoft has been releasing software mitigations for the Spectre and Meltdown vulnerabilities since January, shortly after researchers disclosed the flaws.

    A new standalone security update (4078407) enables by default the mitigations against Spectre Variant 2 in all supported versions of Windows 10 and Windows Server 2016. Alternatively, advanced users can manually enable these mitigations through registry settings.

    Last month, Microsoft released out-of-band updates for Windows 7 and Windows Server 2008 R2 to address a serious privilege escalation vulnerability introduced by the Meltdown mitigations.

  5. Tomi Engdahl says:

    All Chrome OS Devices Now Protected Against Meltdown

    The latest version of Chrome OS now keeps all devices protected from Meltdown, Google says.

    Available as Chrome OS 66.0.3359.137 (Platform version: 10452.74.0), the new Chrome OS release includes additional patches for the critical processor vulnerability, in addition to various new features and bug fixes.

    The Meltdown attack was disclosed in the beginning of 2018 alongside another critical CPU bug, Spectre. The two attacks are possible because design flaws in Intel, AMD, ARM and other processors allow malicious programs to bypass memory isolation and access sensitive data.

    Google started rolling out Meltdown mitigations in mid-December – before the attacks became public knowledge –, pushing a kernel page-table isolation (KPTI/KAISER) patch to roughly 70 Intel-based Chromebook models from Acer, ASUS, Dell, HP, Lenovo, Samsung and others.

    Last month, the company released Chrome OS 65 to make the KPTI mitigation against Meltdown available for additional Intel devices with version 3.14 of the kernel.

  6. Tomi Engdahl says:

    Cache Speculation Side-Channels

    A look at the susceptibility of Arm implementations based upon new attack mechanisms.

  7. Tomi Engdahl says:

    Tech Talk: HW Security

    How to minimize the risk of hardware attacks in the shadow of Meltdown and Spectre.

    Rambus’ Ben Levine explains how to minimize the risk of attacks on chip hardware, why design for security is becoming more critical for connected devices, and strategies for making devices less vulnerable.

  8. Tomi Engdahl says:

    Meltdown Patch in Windows 10 Can Be Bypassed

    A researcher has discovered that a mitigation implemented by Microsoft in Windows 10 for the Meltdown vulnerability can be bypassed. The tech giant says it’s working on an update.

    According to Windows internals expert Alex Ionescu, a Meltdown mitigation in Windows 10 has what he describes as “a fatal flaw.”

    “Calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,”

  9. Tomi Engdahl says:

    Intel Working on Patches for 8 New Spectre-Like Flaws: Report

    Researchers have discovered a total of eight new Spectre-like vulnerabilities, including flaws that may be more serious and easier to exploit, according to German magazine c’t.

    The flaws were reportedly identified by several research teams, including Google Project Zero, whose employees were among those who initially discovered the Meltdown and Spectre attack methods. C’t, which is owned by Heise, claims it has obtained the information exclusively and confirms the existence of the vulnerabilities and their severity.

    The new vulnerabilities, dubbed “Spectre Next Generation” or “Spectre-NG,” are said to affect processors from Intel and at least some ARM chips. AMD processors are currently being analyzed to determine if they are impacted as well.

    Intel has confirmed that it’s working on patching some vulnerabilities, but it has not provided any details. C’t reports that Intel will release updates in two waves – the first expected in May and the second in August.

    There are currently two main versions of the Spectre vulnerability: variant 1 and variant 2. Variant 1 attacks can be mitigated using software updates, but variant 2 requires microcode updates as well. C’t says Microsoft is also working on mitigations, which indicates that the Spectre-NG flaws require both software and firmware updates.

    “As a point of reference, Spectre v1/v2 were quite difficult to use for the purposes of VM-escape within cloud environments. The details that are available for ‘Spectre-NG’ hint that it’s incredibly easy to use, but we won’t know for sure until we can see what the actual problems are,” Dods added.

    Exclusive: Spectre-NG – Multiple new Intel CPU flaws revealed, several serious

    New flaws and even more patches – “Spectre Next Generation” is just around the corner. According to information exclusively available to c’t, researchers have already found eight new security holes in Intel processors.

    The vulnerabilities known as Spectre and Meltdown shook the IT world to its foundations: researchers proved that there is a fundamental design flaw in all modern processors with serious repercussions for system security (see c’t issue 3/2018). After several patches were released, it seemed everything would be fine after all, although some experts warned that more revelations could follow. But the hope remained that the manufacturers could solve the problem with a few security updates.

    c’t has exclusive information on Spectre-NG, which we have been able to verify in several ways – we double and triple checked all the facts. Nonetheless, we will not publish technical details as long as there is still a chance that manufacturers will get their security updates ready before the details of the flaws become public. However, we will use our information to report about future releases of patches and provide background information.

    Each of the eight vulnerabilities has its own number in the Common Vulnerability Enumerator (CVE) directory and each requires its own patches. It is likely that each vulnerability will receive its own name. Until then, we will jointly call these flaws Spectre-NG in order to distinguish them from the previously uncovered issues.

    More dangerous than Spectre

    Intel itself classifies four of the Spectre-NG vulnerabilities as “high risk”; the remaining four are rated as “medium”. According to our own research, risks and attack scenarios at Spectre-NG are similar to those at Spectre – with one exception.

    One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example.

  10. Tomi Engdahl says:

    ‘Next generation’ flaws found on computer processors: magazine

    Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday.

    The magazine, called c’t, said it was aware of Intel Corp’s plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan’s Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable.

  11. Tomi Engdahl says:

    Intel Working on Patches for 8 New Spectre-Like Flaws: Report

    Researchers have discovered a total of eight new Spectre-like vulnerabilities, including flaws that may be more serious and easier to exploit, according to German magazine c’t.

    The flaws were reportedly identified by several research teams, including Google Project Zero, whose employees were among those who initially discovered the Meltdown and Spectre attack methods. C’t, which is owned by Heise, claims it has obtained the information exclusively and confirms the existence of the vulnerabilities and their severity.

    The new vulnerabilities, dubbed “Spectre Next Generation” or “Spectre-NG,” are said to affect processors from Intel and at least some ARM chips. AMD processors are currently being analyzed to determine if they are impacted as well.

  12. Tomi Engdahl says:

    8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs
    Friday, May 04, 2018 Mohit Kumar

    Intel’s Response to Spectre-NG Flaws

    Nevermind. When asked Intel about the new findings, the chip maker giant provides the following statement, which neither confirms nor denies the existence of the Spectre-NG vulnerabilities:

    “Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chip makers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers.”

    “We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

    Meanwhile, when asked Heise about the Common Vulnerabilities and Exposures (CVE) numbers reserved for the new Spectre-NG vulnerabilities, the journalist refused to share any details and commented:

    “The CVEs are currently only naked numbers without added value. On the other hand, their publication might have meant a further risk to our sources that we wanted to avoid. That’s why we decided against it at the moment. We will submit the course, of course.”

  13. Tomi Engdahl says:

    Google Releases Additional Meltdown Mitigations for Android

    As part of its May 2018 Android Security Bulletin, Google this week released additional mitigations for the Meltdown attack that impacts microprocessors from Intel, AMD, and other vendors.

    The attack leverages CVE-2017-5754, a security vulnerability that allows applications to bypass memory isolation and read arbitrary kernel memory locations. Meltdown was made public in January 2018 alongside Spectre, an attack residing in speculative execution (leveraging CVE-2017-5753 and CVE-2017-5715).

    In January, Google released protections for both Meltdown and Spectre attacks, and this month delivered additional mitigations as part of the 2018-05-05 security patch level. Impacting Kernel components, the issue was addressed along with CVE-2017-16643, an information disclosure in USB driver.

    “The most severe vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” Google notes in an advisory.

    The May 2018 Android Security Bulletin is split into two parts, the first being the 2018-05-01 security patch level, which addresses 7 High severity vulnerabilities in Android runtime, Framework, Media framework, and System.

    The bugs include Information Disclosure, Elevation of Privilege, and Denial of Service and impact Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1 releases.

  14. Tomi Engdahl says:

    Designing Hardware For Security

    Most attacks in the past focused gaining access to software, but Meltdown and Spectre have changed that forever.

  15. Tomi Engdahl says:

    Vulnerability Note VU#631579
    Hardware debug exception documentation may result in unexpected behavior

    In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS.

  16. Tomi Engdahl says:

    Microsoft, Google: We’ve found a fourth data-leaking Meltdown-Spectre CPU hole
    Design blunder exists in Intel, AMD, Arm, Power processors

    A fourth variant of the data-leaking Meltdown-Spectre security flaws in modern processors has been found by Microsoft and Google researchers.

    These speculative-execution design blunders can be potentially exploited by malicious software running on a vulnerable device or computer

    Variants 1 and 2 are known as Spectre (CVE-2017-5753, CVE-2017-5715), and variant 3 is Meltdown (CVE-2017-5754). Today, variant 4 (CVE-2018-3639) was disclosed by Microsoft and Google researchers.

    It affects modern out-of-order execution processor cores from Intel, AMD, and Arm, as well as IBM’s Power 8, Power 9, and System z CPUs. Bear in mind, Arm cores are used the world over in smartphones, tablets, and embedded electronics.

    The fourth variant can be potentially exploited by script files running within a program – such as JavaScript on a webpage in a browser tab

    According to Intel, mitigations already released to the public for variant 1, which is the hardest vulnerability to tackle, should make attacks leveraging variant 4 much more difficult.

    So far, no known exploit code is circulating in the wild targeting the fourth variant.

    Another bug, CVE-2018-3640, was also disclosed: this is a rogue system register read, allowing normal programs to peek at hardware status flags and the like in registers that should only really be accessible by the operating system kernel, drivers, and hypervisors.

    Variant 4 is referred to as a speculative store bypass. It is yet another “wait, why didn’t I think of that?” design oversight in modern out-of-order-execution engineering.

    The name Spectre was chosen deliberately: it is like observing a ghost in the machine. Private data can be discerned by watching the cache being updated by the processor’s speculative execution engine. This speculation is crucial to running chips as fast as possible

    Intel, Arm, et al response

    “Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” said Leslie Culbertson, Intel’s executive veep of product security.

    “Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today.”

    According to Culbertson, Intel and others will issue new microcode and software tweaks to more fully counter malware exploiting the fourth variant.

    “We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.

    “This mitigation will be set to off-by-default, providing customers the choice of whether to enable it or not. We expect most industry software partners will likewise use the default-off option.

    If enabled, we’ve observed a performance impact of approximately 2-8 per cent

    Arm will make available to system-on-chip designers updated blueprints for Cortex-A72, Cortex-A73, and Cortex-A75 cores that are resistant to Spectre variant 2, and the Cortex-A75 will be updated to resist Meltdown, aka variant 3.

    Red Hat today published a substantial guide to the fourth variant, its impact, and how it works. VMware also has an advisory and updates, here,

    We note that, so far, no malware has been seen attacking any of the Spectre and Meltdown holes in today’s chips, let alone this latest variant

    Speculative Store Buffer Bypass in 3 minutes

    Speculative Store Buffer Bypass is a security vulnerability that allows unauthorized users to steal sensitive information through websites. Similar to the Spectre and Meltdown threats in early 2018, it exploits speculative execution–a process most computers use to speed up routine tasks

  17. Tomi Engdahl says:

    Red Hat today published a substantial guide to the fourth variant, its impact, and how it works.
    VMware also has an advisory and updates, here,

  18. Tomi Engdahl says:

    Tech Firms Coordinate Disclosure of New Meltdown, Spectre Flaws

    Intel, AMD, ARM, IBM, Microsoft and other major tech companies on Monday released updates, mitigations and advisories for two new variants of the speculative execution attack methods known as Meltdown and Spectre.

    In January, researchers from several organizations warned that processors from Intel, AMD, ARM and other companies are affected by vulnerabilities that allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data.

    Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2), while Meltdown attacks are possible due to CVE-2017-5754 (Variant 3). Researchers at Google Project Zero and Microsoft recently identified a new method which they have dubbed Variant 4.

    Variant 4 relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639. Companies have also shared details on Variant 3a, a Rogue System Register Read issue tracked as CVE-2018-3640. Variant 3a was documented by ARM back in January, but it went largely unnoticed.New Meltdown and Spectre variants discovered

    A German magazine reported in early May that Intel and others had been working on patches for several new Spectre flaws dubbed “Spectre-NG.

    Microsoft is still analyzing its products, but so far it has not identified any code in its software or cloud service infrastructure that allows exploitation of Variant 4. The company says its previous Meltdown and Spectre mitigations should address this variant as well, and noted that “Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.”

    As for Variant 3a, Microsoft says “the mitigation for this vulnerability is exclusively through a microcode/firmware update, and there is no additional Microsoft Windows operating system update.”

    Intel has already developed microcode patches that should address both Variant 3a and Variant 4. Beta versions have been provided to OEMs and operating system vendors

    AMD claims it has not identified any products vulnerable to Variant 3a and any patches for Variant 4 should be expected from Microsoft and Linux distributions.

    The list of other organizations that published advisories and blog posts for Variant 3a and Variant 4 include Red Hat, VMware, Oracle, Cisco, Xen, Ubuntu, Suse, CERT CC and US-CERT.

  19. Tomi Engdahl says:

    Germany calls on chip and hardware makers to tackle processor flaws

    Germany’s federal cyber agency called on chip and hardware-makers to address new vulnerabilities discovered in computer central processing units, but said no complete fix was possible at the moment.

    The BSI agency said its analysis showed the new flaws, dubbed Spectre-Next Generation, resembled the Meltdown and Spectre bugs discovered in January and could allow attackers to access personal data such as passwords and encryption keys.

    While no new attacks were known outside laboratories, there was a risk that attackers could develop new methods based on detailed information that had been disclosed, it added.

  20. Tomi Engdahl says:

    Microsoft, Google find fresh flaw in chips, but risk is low

    The newest chip problem, known as Speculative Store Bypass or “Variant 4” because it’s in the same family as the original group of flaws, was disclosed by security researchers at Microsoft Corp (MSFT.O) and Alphabet Inc’s (GOOGL.O) Google on Monday. Though the flaw affects many chips from Intel Corp(INTC.O), Advanced Micro Devices Inc (AMD.O) and Softbank Group’s (9984.T) ARM Holdings, researchers described the risks as low, partly because of web browser patches already issued earlier this year to address Spectre.

  21. Tomi Engdahl says:

    Microsoft, Google: We’ve found a fourth data-leaking Meltdown-Spectre CPU hole
    Design blunder exists in Intel, AMD, Arm, Power processors

    A fourth variant of the data-leaking Meltdown-Spectre security flaws in modern processors has been found by Microsoft and Google researchers.

    These speculative-execution design blunders can be potentially exploited by malicious software running on a vulnerable device or computer, or a miscreant logged into the system, to slowly extract secrets, such as passwords, from protected kernel or application memory, depending on the circumstances.

    Variants 1 and 2 are known as Spectre (CVE-2017-5753, CVE-2017-5715), and variant 3 is Meltdown (CVE-2017-5754). Today, variant 4 (CVE-2018-3639) was disclosed by Microsoft and Google researchers.

  22. Tomi Engdahl says:

    Google has been using the Strict Site Isolation feature to mitigate the effects of the Meltdown and Spectre flaws. With new Meltdown and Spectre variations revealed last week, the feature is more than welcomed, even if it wasn’t originally developed to deal with CPU bugs.


  23. Tomi Engdahl says:

    Meltdown-Like ‘LazyFP’ Vulnerability Impacts Intel CPUs

    Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.

    Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.

    The vulnerability, tracked as CVE-2018-3665, is similar to Meltdown, specifically Variant 3a, but the issue has been assigned only a “medium” severity rating.

    Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG have been credited for finding the vulnerability. Colin Percival has also been credited, but the researcher says he only wrote an exploit for the flaw.

    Cyberus has published a blog post for the LazyFP vulnerability, but it has withheld some details at Intel’s request.

    Intel LazyFP vulnerability: Exploiting lazy FPU state switching

  24. Tomi Engdahl says:

    New ‘Lazy FP State Restore’ Vulnerability Found in All Modern Intel
    Hell Yeah! Another security vulnerability has been discovered in Intel
    chips that affects the processor’s speculative execution
    technologylike Specter and Meltdownand could potentially be exploited
    to access sensitive information, including encryption related data.
    - All microprocessors starting with Sandy Bridge are affected by this designing blunder
    - the flaw can be fixed by pushing patches for various operating systems without requiring new CPU microcodes from Intel.
    - According to Intel, since the flaw is similar to Spectre Variant 3A (Rogue System Register Read), many operating systems and hypervisor software have already addressed it.
    - Microsoft has also published a security advisory, offering guidance for the Lazy FP State Restore vulnerability https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180016
    - Lazy restore is enabled by default in Windows and cannot be disabled; company is already working on security updates, but they will not be released until the next Patch Tuesday in July.

  25. Tomi Engdahl says:

    Xen Project patches Intel’s Lazy FPU flaw

    Guest register states are readable, but the patch cavalry has arrived

    Xen said the impact of the flow is as follows:

    An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to another vCPU previously scheduled on the same processor. This can be state belonging a different guest, or state belonging to a different thread inside the same guest.

    The Register’s virtualization desk has asked VMware if its hypervisors are also affected by Lazy FPU and will update this story if the company has something to say.

    VMware has, however, advised of some disruption to its VMware-on-AWS service

  26. Tomi Engdahl says:

    Torvalds’ post on the new release lauds 4.18’s new features, among them support for AMD GPUs, fixes for Spectre V4 – aka Speculative Store Bypass – on Arm CPUs

    Source: https://www.theregister.co.uk/2018/06/18/linux_4_18_rc_1_removes_lustre_filesystem/

  27. Tomi Engdahl says:

    Oracle Patches New Spectre, Meltdown Vulnerabilities

    Oracle announced on Friday that it has started releasing software and microcode updates for products affected by the recently disclosed variants of the Spectre and Meltdown vulnerabilities.

    Intel, AMD, ARM, IBM, Microsoft and other major tech companies last month coordinated the disclosure of two new variants of the speculative execution attack methods known as Meltdown and Spectre.

    One of them, dubbed Variant 4, relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639. The second flaw, tracked as Variant 3a and CVE-2018-3640, is a Rogue System Register Read issue first documented by ARM back in January.

    Variant 4 and Variant 3a have been rated “medium severity” and exploitation requires local access to the targeted system, Eric Maurice, director of security assurance at Oracle, noted in a blog post.

    Maurice says Oracle has released software updates for the Oracle Linux distribution and Oracle VM virtualization products, along with the microcode updates provided by Intel. According to Oracle’s advisory, Variant 4 impacts Oracle Linux versions 6 and 7, and Oracle VM 3.4.

  28. Tomi Engdahl says:

    Window Snyder Joins Intel as Chief Software Security Officer

    Intel on Monday announced that Window Snyder has joined the company’s Software and Services Group as chief software security officer, vice president and general manager of the Intel Platform Security Division.Window Snyder joins Intel

    The decision, effective July 9, comes after Intel was forced to rethink its cybersecurity strategy following the disclosure of the Spectre and Meltdown vulnerabilities early this year, and less than one week after the chip giant announced the resignation of Brian Krzanich as CEO and member of the board of directors.

  29. Tomi Engdahl says:

    New WebAssembly Standard May Put Browser at Meltdown and Spectre vulnerabilities

    According to Forcepoint security researcher John Bergbom, the upcoming WebAssembly standard may make some of the browser-level fixes for Meltdown and Specter useless. WebAssembly. (WA or WASM) is a new technology released last year and currently supports all major browsers such as Chrome, Edge, Firefox, and Safari.

    This technology is a binary language, the browser will convert to machine code and run directly on the CPU. Browser manufacturers create WebAssembly to increase the speed and performance of JavaScript code delivery, and they also create a migration method for developers to port code from other high-level languages (such as C, C++, and others) to WASM, and then Run it in your browser.

  30. Tomi Engdahl says:

    Some Spectre In-Browser Mitigations Can Be Defeated

    Some of the protections against the Spectre CPU vulnerability introduced in modern browsers can be defeated, security researchers revealed this week.

    According to research published by Aleph Security on Tuesday, the company’s researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser’s protected memory.

    The browsers were running a version that received mitigations against such attacks, researchers said.

    Researchers bypass Spectre v1 in-browser protections

    Edge, Chrome, Safari protections defeated

    But Noam Hadad and Jonathan Afek, two security researchers with Aleph Security, said they were able to find a way around the index masking mitigation (1), data timing mitigations (3 & 4) and jittered timer outputs (5).

    The two put together proof-of-concept code —also shared on GitHub— that defeats the above mitigations and retrieves data from a browser’s protected memory —data that a malicious page should not be able to access under normal circumstances.

    Better mitigations needed

    The PoC exfiltrates data at very slow speeds, but researchers did not develop it for offensive purposes. The research only probed the effectiveness of the Spectre in-browser patches.

  31. Tomi Engdahl says:

    Can ARM-based Thin Clients Provide a Secure Alternative to Windows Desktops?

    Do the challenges presented by the disclosure of the Meltdown and Spectre exploits remain locked into the usual bug-patch-repeat dynamic? Do businesses have a choice beyond putting up with PCs slowed by patching the bugs?

    It turns out that there could be a hardware solution that doesn’t demand a massive increase to the hardware budget: ARM-based thin clients on every desktop.

    Security guru Bruce Schneier suggests that these vulnerabilities represent “the future of security – and it doesn’t look good for the defenders… attacks against hardware, as opposed to software, will become more common.”

    Using hardware less susceptible to attack seems a better solution than patching mistakes.

    Inadequate Solutions Call for New Approaches

    Now widely rolled-out, these patches have so far been successful in mitigating the risks of both Spectre and Meltdown’s vulnerabilities. In short, they should now be protected from exploitation. But the solution comes with a cost: speed.

    By tightening up the security holes in the affected CPUs, operating systems have slowed down. In some cases (especially on older CPUs) this reduction in server and PC performance has had frustrating results.

    Not all hardware is affected by these vulnerabilities, however.

    many current Intel Atom laptops and tablets are immune to the Meltdown and Spectre bugs.

    ARM Computers with Thin Client Support

    Although some ARM-based systems are affected by Meltdown and Spectre, others are not. Many Android smartphones, for instance, require patching. Some models of the Raspberry Pi, on the other hand, do not.

    Back in 2016, desktop virtualization publisher Citrix discussed how the Raspberry Pi 2 could be used as a thin client, noting that “Typical business users don’t care if they have a PC with a 2.0 GHz CPU, or 3.0 or 4.0 as long as it works well and looks good.”

    Significantly, both the Raspberry Pi 2 and 3 models are unaffected by Meltdown and Spectre. Could these devices prove the necessary jumping off point for a new generation of office-ready hardware that doesn’t have the weaknesses of its predecessors?

    At this point, it’s probably worth revisiting Bruce Schneier’s words concerning computer security of the future: “attacks against hardware, as opposed to software, will become more common.” Sooner or later

  32. Tomi Engdahl says:

    Another data-leaking Spectre CPU flaw among Intel’s dirty dozen of security bug alerts today

    Chipzilla preps for quarterly public patch updates

    Exclusive Intel will today emit a dozen security alerts for its products – including details of another data-leaking vulnerability within the family of Spectre CPU flaws.

    Rather than drop surprise alerts onto its security advisory page at irregular intervals, Intel hopes to gradually adopt a routine similar to Microsoft’s monthly Patch Tuesday, albeit once every three months.

    Urgent security updates will be pushed out in between these quarterly batches.

    From what we understand, Intel hopes to give folks – from IT administrators to ordinary netizens – time and notice to plan for installing security updates at regular-ish intervals, rather than relying on them to look out for sporadic patches.

    Speculative execution continues to haunt
    The new Spectre-class side-channel vulnerability in Intel’s processors, to be disclosed today, can be exploited in a bounds-check bypass store attack.

    function pointers and return addresses are overwritten in the attack, allowing the malicious code to change the CPU’s course, and infer the contents of memory that should be out of reach.

    The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.

    For programmers and compiler writers, this means slipping LFENCE instructions into code, before it reads from memory,

    The other good news is that there is little or no malware known to be circulating in the wild exploiting Spectre vulnerabilities

    Instead, Spectre, for now, remains a fascinating insight into the world of CPU design, where engineers across the industry trade off a little security for a little more performance.

  33. Tomi Engdahl says:


    Meltdown and Spectre chip vulnerabilities had all the technobabble and painful misunderstanding you’d expect. But the Senate Committee on Commerce, Science, and Transportation also raised an important practical concern: No one informed the US government about the flaws until they were publicly disclosed at the beginning of January. As a result, the government couldn’t assess the national security implications of or start defending federal systems during the months that researchers and private companies secretly grappled with the crisis.

    “It’s really troubling and concerning that many if not all computers used by the government contain a processor vulnerability that could allow hostile nations to steal key data sets and information,”

    “It’s even more troubling that these processor companies knew about these vulnerabilities for six months before notifying [the Department of Homeland Security].”

    “It’s been reported that Intel informed Chinese companies of the Spectre and Meltdown vulnerabilities before notifying the US government,”

    Since the initial disclosure in January, researchers have discovered multiple other variants of Meltdown and Spectre that chipmakers have worked to patch.

  34. Tomi Engdahl says:

    “Speculative execution is used in microprocessors so that memory can read before the addresses of all prior memory writes are known. This enables an attacker with local user access using a side-channel analysis to gain unauthorized disclosure of information. Since the disclosure of Spectre in January, various variants have consequently been disclosed by researchers – however, these have all targeted the branch predictor unit or cache within the CPU.” – writes Lindsey O’Donnell for Threatpost.


    The most recent Spectre-class flaw targets a component in CPUs called the return stack buffer.

    Researchers have discovered yet another speculative execution side-channel flaw enabling attackers to access sensitive data at the CPU level.

    The new Spectre-class exploit, dubbed SpectreRSB, was detailed by researchers from the University of California at Riverside in a research paper on Friday. While the flaw still targets the process of speculative execution, unlike other variants, it manipulates a new part of the process called the return stack buffer.

    “In this paper, we introduce a new attack vector for Spectre-like attacks that are not prevented by deployed defenses,” researcher Nael Abu-Ghazaleh wrote in the paper.


  35. Tomi Engdahl says:

    New NetSpectre Attack Can Steal CPU Secrets via Network Connections

    Scientists have published a paper today detailing a new Spectre-class CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine.

    This new attack —codenamed NetSpectre

    Spectre attacks, which until now have required the attacker to trick a victim into downloading and running malicious code on his machine, or at least accessing a website that runs malicious JavaScript in the user’s browser.

    But with NetSpectre, an attacker can simply bombard a computer’s network ports and achieve the same results.

    NetSpectre has low exfiltration speeds

    attack’s woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU’s cache.

    Academics achieved higher exfiltration speeds —of up to 60 bits/hour

    Nonetheless, both NetSpectre variations are too slow to be considered valuable for an attacker. This makes NetSpectre just a theoretical threat

    Existing mitigations should prevent NetSpectre

    The research paper is named “NetSpectre: Read Arbitrary Memory over Network.”

  36. Tomi Engdahl says:

    Thoughts on NetSpectre

    In this blog post, I’m going to walk through the NetSpectre vulnerability, what this means to our customers, and what Red Hat and other industry partners are doing to address it.

    Please note that based on Red Hat’s understanding, the observed measured maximum leakage rate from successfully exploiting this vulnerability is on the order of 15-60 bits (2-8 bytes) per hour on a local network, much lower over the internet and we do not yet have real-world examples of vulnerable code. Nonetheless, the risk posed by sophisticated attackers capable of deploying Advanced Persistent Threats (APTs) like NetSpectre against sensitive installations is real. But it is important to remember that an attacker will require a very significant amount of time to actually pull off a real-world attack.

  37. Tomi Engdahl says:

    Academics Announce New Protections Against Spectre and Rowhammer Attacks

    Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer.

    Both these fixes are at the software level, meaning they don’t require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

    Spectre v1 fix for Linux

    The first of these new mitigation mechanisms was announces on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs.

    Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

    “The solution developed at Dartmouth uses ELFbac to securely partition a program’s address space,” researchers said. “This approach ensures that all data and code – including user secrets – are isolated from each other.”

    “The ELFbac policy approach denies access to Spectre and results in processing that is generally more secure,” researchers added.

  38. Tomi Engdahl says:

    Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It’s slower, say boffins
    MIT Lincoln metalheads broke big iron so you don’t have to… oh, you still have to, don’t you?

    HPC admin? Feeling slighted that all the good Spectre/Meltdown mitigation benchmarks ignore big iron? Fear not, a bunch of MIT boffins are on your side.

    Unfortunately, what they found is that network connections, disk accesses, and computational workloads can all be affected by the fixes, whether in the operating system or the microcode.

    Within a week of the twin bugs being published, performance has been on everyone’s mind – because speculative execution is a long-standing performance feature in microprocessors.

    Amazon almost immediately warned of performance hits, echoed quickly by others in the industry. Intel responded that performance impacts would depend on workload. SolarWinds conducted its own tests on AWS, and Netflix thought the damage could be contained.

  39. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Researchers detail Foreshadow, a speculative execution flaw in secure enclaves on Intel processors, mitigated by May/June microcode fixes, patches coming today

    Spectre-Like Flaw Undermines Intel Processors’ Most Secure Element

    In cybersecurity circles, this has been the year of Spectre and Meltdown, not only because the chip vulnerabilities—first publicly disclosed in January—were so widespread that they’re still being cleaned up, but because they’ve given rise to the discovery of many related flaws. Now, a team of researchers has found a Spectre-like vulnerability that specifically undermines the most secure element of recent Intel chips—and potentially has even broader implications.

    Intel’s Software Guard Extensions feature, known as SGX, allows programs to establish so-called secure enclaves on Intel processors. These are regions of a chip that are cordoned off to run code that the computer’s operating system can’t access or change.

    But a group of researchers, hailing from five academic institutions around the world, found that although SGX can mostly repel Spectre and Meltdown attacks, a related attack can bypass its defenses. They call it Foreshadow.

    Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution

    Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.

    At a high level, SGX is a new feature in modern Intel CPUs which allows computers to protect users’ data even if the entire system falls under the attacker’s control. While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key.

    Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem.

  40. Tomi Engdahl says:

    Foreshadow: The Sky Is Falling Again for Intel Chips

    How Foreshadow Works

    The Foreshadow attack utilizes speculative execution, a feature of modern CPUs most recently in the news thanks to the Meltdown and Spectre vulnerabilities. The Foreshadow attack reads the contents of memory protected by SGX, allowing an attacker to copy and read back private keys and other personal information. There is a second Foreshadow attack, called Foreshadow-NG, that is capable of reading anything inside a CPU’s L1 cache (effectively anything in memory with a little bit of work), and might also be used to read information stored in other virtual machines running on a third-party cloud. In the worst case scenario, running your own code on an AWS or Azure box could expose data that isn’t yours on the same AWS or Azure box. Additionally, countermeasures to Meltdown and Spectre attacks might be insufficient to protect from Foreshadown-NG

    The researchers behind the Foreshadow attacks have talked with Intel, and the manufacturer has confirmed Foreshadow affects all SGX-enabled Skylake and Kaby Lake Core processors. Atom processors with SGX support remain unaffected. For the Foreshadow-NG attack, many more processors are affected, including second through eighth generation Core processors, and most Xeons. This is a significant percentage of all Intel CPUs currently deployed. Intel has released a security advisory detailing all the affected CPUs.


  41. Tomi Engdahl says:

    Intel discloses three more chip flaws

    U.S. chipmaker Intel Corp (INTC.O) on Tuesday disclosed three more possible flaws in some of its microprocessors that can be exploited to

    gain access to certain data from computer memory.

    Its commonly used Core and Xeon processors were among the products that were affected, the company said.

    “We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for

    everyone to adhere to security best practices,” the company said in a blog post here

    Protecting Our Customers through the Lifecycle of Security Threats
    Details and Mitigation Information for L1 Terminal Fault

  42. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Researchers detail Foreshadow, a speculative execution flaw in secure enclaves on Intel processors, mitigated by May/June microcode fixes, patches coming today — IN CYBERSECURITY CIRCLES, this has been the year of Spectre and Meltdown, not only because the chip vulnerabilities …

  43. Tomi Engdahl says:

    Foreshadow: New Speculative Execution Flaws Found in Intel CPUs

    Researchers and several major tech companies on Tuesday disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

    The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), were discovered independently by two research teams, who reported their findings to Intel in January, shortly after the existence of the notorious Spectre and Meltdown vulnerabilities was made public.

    There are three Foreshadow vulnerabilities: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

    “Each variety of L1TF could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next,” Intel said.


  44. Tomi Engdahl says:

    Foreshadow/L1TF: What You Need to Know

    The details of three new speculative execution vulnerabilities affecting Intel Xeon and Core processors were disclosed on Tuesday. The flaws have been dubbed Foreshadow and L1 Terminal Fault (L1TF), and patches and mitigations are already available.

    According to Intel, a malicious application installed on the targeted system can deduce data values from the operating system or other apps. Exploitation of the flaws can also allow a malicious guest VM to obtain data in the memory of the virtual machine manager (VMM) or other guest VMs.


Leave a Comment

Your email address will not be published. Required fields are marked *