This article is more than 1 year old
Another data-leaking Spectre CPU flaw among Intel's dirty dozen of security bug alerts today
Chipzilla preps for quarterly public patch updates
Exclusive Intel will today emit a dozen security alerts for its products – including details of another data-leaking vulnerability within the family of Spectre CPU flaws.
This bundle of disclosures is the start of the processor giant's efforts to move to a quarterly cadence of updates, we understand. Rather than drop surprise alerts onto its security advisory page at irregular intervals, Intel hopes to gradually adopt a routine similar to Microsoft's monthly Patch Tuesday, albeit once every three months.
Urgent security updates will be pushed out in between these quarterly batches. Some fixes may be emitted outside of this quarterly cadence if they are due to be released on a specific date in a coordinated disclosure with other organizations, and that date falls outside Intel's schedule.
Motherboard manufacturers, computer makers, operating system developers, and other Intel partners, will privately get a long heads up before these quarterly updates are made public. For instance, today's patches were shared with manufacturers in March, allowing them to prepare to roll out fixes to customers.
From what we understand, Intel hopes to give folks – from IT administrators to ordinary netizens – time and notice to plan for installing security updates at regular-ish intervals, rather than relying on them to look out for sporadic patches.
Speculative execution continues to haunt
The new Spectre-class side-channel vulnerability in Intel's processors, to be disclosed today, can be exploited in a bounds-check bypass store attack. This means malicious code already running on an Intel-powered computer can potentially extract passwords, cryptographic keys, and other sensitive information, from other running software threads by altering the flow of speculative execution.
Despite the word "store" in the attack, no actual code or data in memory is altered. However, as far as the CPU's speculative execution engine is concerned, function pointers and return addresses are overwritten in the attack, allowing the malicious code to change the CPU's course, and infer the contents of memory that should be out of reach.
This can be done by speculatively overwriting variables and other temporary values, or by speculatively overrunning buffers by tricking the processor into speculatively executing more iterations of a loop than anticipated. Even memory that should be read-only can be speculatively written to in order to potentially perform side-channel extraction of data. Vulnerable code can be as trivial as...
uint8_t buffer; int i; for(i = 0; i < 256; i++) buffer[i] = *src++;
More technical information on bounds-check bypass store attacks can be found, here, in section 2.2.1, and here in a paper out today by Vladimir Kiriansky and Carl Waldspurger.
The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.
For programmers and compiler writers, this means slipping LFENCE instructions into code, before it reads from memory, to act as a barrier, or clipping array bounds using a bitmask, as described here, in section four.
The other good news is that there is little or no malware known to be circulating in the wild exploiting Spectre vulnerabilities to steal information: it is far easier for miscreants to persuade people to download and install software nasties disguised as legit applications, trick them with phishing emails, or attack holes in email clients and PDF readers, to commandeer their PCs.
Instead, Spectre, for now, remains a fascinating insight into the world of CPU design, where engineers across the industry trade off a little security for a little more performance.
“As we continue working with industry researchers, partners and academia to protect customers against evolving security threats, we are streamlining security updates and guidance for our industry partners and customers when possible," a spokesperson for Intel told The Register on Tuesday.
"With this in mind, today we are providing mitigation details for a number of potential issues, including a new sub-variant of [Spectre] variant 1 called Bounds Check Bypass Store, for which mitigations or developer guidance have been released.
"More information can be found on our product security page. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel.”
More than half of today's Chipzilla advisories were the result of research carried out by its own staff, whose minds have been doubly focused on the security of their products following the Meltdown and Spectre disclosures earlier this year. The alerts will cover things from firmware to Intel's flavor of Python. ®