The flaw is present in all Intel generations after the first generation of Intel Core
A speculative execution vulnerability (dubbed Spoiler)
has been found in several generations of Intel
CPUs, report network
security and ethical hacking specialists from the International Institute
of Cyber Security. The flaw could be exploited with a malicious JavaScript
hosted on a web browser tab, through a malware or by an unauthorized user to
extract sensitive information from victims such as passwords, access credentials
and other hosted data in memory.
According to network security experts,
attackers would require a foothold to exploit the vulnerability and to be
corrected substantial hardware-level modifications would be required.
It should be mentioned that speculative
execution, which allows processors to assume that a condition can be true or
false to later maintain or discard results, is what allowed Spectre variants to
emerge early in 2018. Network security specialists from various research centers
recently presented a document showing a new way of abusing the increase in CPU
performance.
Experts found that a weakness of the Intel
processors memory subsystem can leak data about memory design, facilitating the
deployment of other attack variants, such as the well-known Rowhammer. Experts
commented that the ARM and AMD processors were also examined, although no
evidence of similar behavior was found.
“Exploiting the Spoiler vulnerability requires
only a small set of instructions and is present in all Intel generations after
the launch of Core processors, regardless of the operating system, it can even
affect machines and sandbox environments,” experts say.
In the research, experts point out that this
problem is independent of variants of the Spectre vulnerability, so the
existing mitigations for Spectre will not be functional to reduce the risks of
exploiting Spoiler.
The spoiler vulnerability could facilitate
existing attacks, such as Rowhammer,
and will leave the door open for JavaScript attacks; “The attack time could go
from taking days to just a few seconds”, the investigators say. In addition,
possible mitigations might take time to arrive, as chip architecture-level
corrections are needed, although experts anticipate that corrections would
affect performance.
Intel was notified of the vulnerability at the
end of last year. However, because the company has not made any statements
about it, the researchers decided to publicly disclose the vulnerability
report.
