Security

Intel chip flaw: Math unit may spill crypto secrets from apps to malware

Nasties on Cores, Xeons may lift computations, mitigations in place or coming


Updated A security flaw within Intel Core and Xeon processors can be potentially exploited to swipe sensitive data from the chips' math processing units.

Malware or malicious logged-in users can attempt to leverage this design blunder to steal the inputs and results of computations performed in private by other software.

These numbers, held in FPU registers, could potentially be used to discern parts of cryptographic keys being used to secure data in the system. For example, Intel's AES encryption and decryption instructions use FPU registers to hold keys.

In short, the security hole could be used to extract or guess at secret encryption keys within other programs, in certain circumstances, according to people familiar with the engineering mishap.

Modern versions of Linux – from kernel version 4.9, released in 2016, and later – as well as the latest spins of OpenBSD and DragonflyBSD are not affected by this flaw (CVE-2018-3665).

Windows Server 2008 is among the operating systems that will need to be patched, we understand, and fixes for affected Microsoft and non-Microsoft kernels are on their way. The Linux kernel team is back-porting mitigations to pre-4.9 kernels.

Essentially, hold tight, and wait for patches to land for your Intel-powered machines, if they are vulnerable. CVE-2018-3665 isn't the end of the world: malicious software has to be already running on your system to attempt to exploit it, and even then, it can only lift out crumbs at a time.

It is yet another complex, speculative-execution-related processor design flaw that is fascinating for industry watchers, an annoyance for some kernel programmers, and another thing for sysadmins and folks to patch for. There are worse bugs, a whole lot worse, in your word processor, PDF reader, or web browser, probably.

The brown exploit jumps over the lazy coprocessor

The security shortcoming involves what's known as lazy FPU state restore. Operating system kernels would only save and restore the floating-point unit (FPU) registers, and other context information, when programs were actually using the math unit.

This, it turned out today, through a security gaffe in Intel's blueprints related to Spectre-Meltdown Variant 3A, allows a program to obtain scraps of the FPU context of another app. Variant 3A allows applications to read system registers that only privileged code should be allowed to peek at.

The fix is to employ a mechanism called eager FPU state restore. These mitigations do not carry a performance hit – in fact, eager state switching can increase performance.

Intel is due to release an advisory with more details after 2pm PT (2100 UTC). It had planned to go live on June 27, however disclosure was brought forward to today after the OpenBSD and DragonflyBSD projects earlier this week published their patches to mitigate this issue – thus forcing the situation onto the world stage. The BSD teams went ahead after Intel declined to work with them under embargo and instead stuck to larger operating system vendors and makers.

A spokesperson for the American semiconductor giant told The Register today that it was alerted to the flaw by various researchers working independently, including one at Amazon:

This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks.

We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.

Intel considers the threat to be moderate. Google told us its systems are secured against this lazy FPU state restore cockup. Spokespeople for Amazon and Microsoft were not available for comment. ®

Updated to add

Red Hat has more technical details, here. RHEL 5, 6, and 7, and Enterprise MRG 2 not running kernel-alt are vulnerable. In a statement to The Register, the Linux vendor clarified that this a potential task-to-task theft of information:

Red Hat has been made aware of an issue where operating systems and virtual machines running on common modern (x86) microprocessors may elect to use “lazy restore” for floating point state when context switching between application processes instead of “eagerly” saving and restoring this state.

Exploitation of lazy floating point restore could allow an attacker to obtain information about the activity of other applications, including encryption operations. The underlying vulnerability affects CPU speculative execution similar to other recent side channel vulnerabilities.

In this latest vulnerability, one process is able to read the floating point registers of other processes being lazily restored. Red Hat’s mitigations are in various stages of availability via software (kernel) patches and configuration changes as described below.

Mitigations will not require microcode updates. In most cases, Red Hat Enterprise Linux 7 customers will not need to take action, while other users may need to apply software updates.

Amazon Web Services said it is protected. Intel's advisory is also now live, here.

"System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch," the x86 goliath explained.

"Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value."

There is, right now, no known exploit code circulating in the wild targeting this security vulnerability, we're told. One of the research outfits named above, Cyberus, has an advisory and background, here.

Final update

It was believed modern Microsoft Windows releases were immune to this bug: they are not, so get patching.

Additional reporting by Shaun Nichols.

Send us news
67 Comments

Spam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware

More than 120 messages caught trying to filch credentials from customers of USAA Bank, Microsoft

Between July 13 and July 16, someone took over the Mailgun account owned by restaurant chain Chipotle Mexican Grill and placed an order for login credentials using misappropriated marketing messages.

Phish-fighting firm INKY said on Thursday that it spotted 121 phishing emails during this period originating from Chipotle's Mailgun account.

The phishing messages included two fake voicemail notifications with attached malware, otherwise known as "vishing" among those who make such distinctions. They also included 14 emails designed to look like USAA Bank communiques and 105 messages dressed up as if they came from Microsoft. These faked missives pointed recipients to credential harvesting websites designed to mimic USAA Bank and Microsoft Sign-in pages respectively.

Continue reading

Upcoming Android privacy changes include ability to blank advertising ID, and 'safety section' in Play store

New policies give users more control, but ad tracking still on by default

Google has shared details of upcoming changes to Android including the ability to blank a device's advertising ID, and a new safety section for apps in the Play store.

The advertising ID is an identifier unique to an Android device which is supplied by Google Play Services. Since every app on that device can retrieve the same ID, it can be used for profiling the user of the device. Users can set an option to "Limit ad tracking", and the API that supplies the advertising ID also indicates whether the user has opted out, but respecting this option is on a trust basis.

Privacy advocate Max Schrems filed a legal complaint against Google last year, arguing that the advertising ID is personal data and that the option to reset it, which automatically creates a replacement ID, was "like cancelling a contract only under the condition that you sign a new one."

Continue reading

NoSQL Couchbase launches schema-like features to take on the transactional databases of the relational world

Doing both in one system might be 'somewhat elegant' but user experience remains to be seen, analyst says

Couchbase, the NoSQL database beloved of modern applications developers, is trying to build a bridge to the old world with its 7.0 release.

The latest iteration of the open-source documents store database offers multi-statement SQL transactions and an approach to building schema-like structures into the database, allowing it to support multiple applications from the same data.

One database industry expert said Couchbase 7.0 would be welcomed by developers wanting to do more with their data in a single system, but whether it could withstand enterprise workloads from multiple applications is not clear.

Continue reading

BT says it's trading in line with expectations as revenue slides and pre-tax profit shrinks

Former state monopoly talks up FTTP build out, as does Virgin Media

BT's revenues slipped during the three months to the end of June – when French-owned Altice took a 12.1 per cent stake in the business and the telco went some way to resolving an industrial dispute.

Overall – across its consumer, enterprise, global, and infrastructure businesses – the former state-run monopoly reported revenues of £5.071bn, down 3 per cent year-on-year and trading as expected, BT said.

Consumer was one of the divisions to grow, up 1 per cent to £2.382bn. BT said this was primarily due to BT Sport subscriptions and higher direct handset sales. "Year-on-year fixed and mobile are down due to the ongoing impact of COVID-19, lower out-of-contract prices, copper price reductions to address back book pricing, and the continued decline of our voice-only customer base and call volume," it said.

Continue reading

Red Hat buddies up with Nutanix to provide an escape route from VMware

'We have customers saying, help us out of this pickle here, can you possibly just support RHEL running on top of AHV?'

Red Hat is collaborating with Nutanix to make OpenShift and Red Hat Enterprise Linux a fully supported solution on the Nutanix native virtualization platform, AHV.

The new agreement provides for Red Hat OpenShift, its Kubernetes distribution, to be the Nutanix "preferred choice" for Kubernetes on Nutanix, and for Nutanix HCI to be fully supported by Red Hat for deploying Enterprise Linux (RHEL) and OpenShift. The Nutanix Acropolis Hypervisor (AHV) will now be certified by Red Hat for RHEL and OpenShift.

"Nutanix supports several different hypervisors," Red Hat's Ronald Pacheco, director of product management, told us, "They support AHV, VMware ESXi, Hyper-V and they also support Citrix XenServer. We're aware of customers who have been using Nutanix, mostly using ESXi... because Red Hat customers tend to be conservative and they want to make sure they're using a supported hypervisor, but at the same time saying, I'm paying a lot extra... so we have customers saying, help us out of this pickle here, can you possibly just support RHEL running on top of AHV?"

Continue reading

NFT or not to NFT: Steve Jobs' first job application auction shows physically unique beats cryptographically unique

Great, maybe the trend can FOAD now

A dual-format auction of a physical and digital non-fungible token (NFT) version of a job application penned by Apple co-founder Steve Jobs has come to a close – and the physical side has emerged victorious, by an order of magnitude.

Set up by former ad exec Olly Joshi and launched last week, the auction took a physical piece of history – the 1973 handwritten job application, which Joshi purchased at auction earlier this year with money raised by a collective of 36 of his friends and family – ran it through a scanner and created a cryptographically verified NFT version on the Ethereum blockchain before listing the two side-by-side.

The idea was to pit NFTs, digital goods whose uniqueness comes from cryptographic signatures placed on a cryptocurrency blockchain but which are otherwise infinitely duplicable, against physical and genuinely unique goods – and to make a little money along the way.

Continue reading

Qualcomm's bumper Q3 growth comes with supply constraints warning, but Intel may ride to the rescue

Company confirms it's investigating adding Chipzilla to multi-source vendor list, alongside TSMC and Samsung

Qualcomm's strong financials for the third quarter of 2021 come with a warning. Supply shortages aren't over yet – and the fabless chip maker may be turning to Intel to help meet demand.

To say Qualcomm's results look healthy is no understatement. The company reported [PDF] $8.06bn in revenue for the quarter ended 27 June, a 65 per cent gain year-on-year driven, CFO Akash Palkhiwala claimed in the company's earnings call, by "revenue diversification" including a shuffling of mobile technologies into the automotive market and "a partial recovery from the impact of COVID in the year-ago period."

The bulk of the company's revenue came, as always, from parts and IP destined for mobile handsets, which grew 57 per cent year-on-year to $3.863bn – though the biggest growth came from its radio-frequency (RF) front end business, which jumped 114 per cent to $957m. The Internet of Things (IoT) division grew 83 per cent to $1.399bn, while its automotive arm grew by the same amount but remains a relative tiddler at $253m in revenue. Licensing jumped to $1.632bn versus $1.09bn a year ago.

Continue reading

Microsoft's new 'power app converging model' hits public preview with Custom Pages

Aims to heal perplexing split between Canvas and Model-driven apps

Microsoft's Custom Pages, an effort to converge its two different low-code Power App platforms, are now in public preview - though it is more hybrid than truly converged.

Principal program manager Adrian Orth said that the preview is a "a big leap forward in the convergence of model-driven apps and canvas apps into a single Power App," though adding that that standalone canvas apps will remain supported.

Cloud migration has been good for Microsoft's business application business, and in its latest financials, the company noted "Dynamics 365 revenue growth of 49 per cent (up 42 per cent in constant currency)." Power Platform, a low-code application platform which ties into Dynamics as well as other parts of Microsoft's cloud such as SharePoint and Office 365, performed even better.

Continue reading

Equiniti wins Northern Ireland Finance Department contract to build land revenue system... 4 years after project proposed

Now that's agile

Northern Ireland's Department of Finance has awarded IT services firm Equiniti a contract worth up to £80m to build a land revenue and benefits system in a procurement four years in the making.

The department's Land and Property Services requires a "modern digitally-enabled ICT solution" that will help with the assessment and collection of rates for domestic and non-domestic properties, and the administration of various rate reliefs such as Housing Benefit and Disabled Person's Allowance. The system should also manage interfaces with internal and external applications of the agency, such as the Enforcement of Judgments Office.

According to a contract award notice, the new system needs to be "flexible and adaptable to support new and innovative methods of delivery, future changes and business needs whilst being user friendly, customer-focused and utilising digital self-service platforms."

Continue reading

Hard drives at Autonomy offices were destroyed the same month CEO Lynch quit, extradition trial was told

Court finally hands down written ruling – and it's very bad news for UK exec

Analysis Autonomy personnel were instructed to destroy hard drives at the company's offices nearly a year after the buyout of the software bz by HP, a court ruling in ex-CEO Mike Lynch's extradition battle has revealed.

District Judge Michael Snow ruled last week that Lynch can be extradited to America for trial on 17 criminal charges, sending the case to Home Secretary Priti Patel for rubberstamp approval.

Westminster Magistrates' Court has now released Judge Snow's full written judgment [PDF], which contained pointed criticisms of Lynch's legal team on top of dismissing all their arguments against extraditing the Autonomy founder.

Continue reading

Beige pencil stockists on high alert as 'Colouring Book of Retro Computers' hits the crowdfunding circuit

YouTuber's project already well past its goal

Neil Thomas, host of the RMC vintage computing and gaming YouTube channel, is crowdfunding a colouring book of vintage computing hardware.

Covering the 1970s through to the early 2000s, Thomas's latest nostalgia-grab – following a compact hardback collecting interviews carried out for his YouTube channel – asks backers to keep within the lines as they colour in 30 vintage machines and accessories.

The book has been developed with Stuart "Stoo" Cambridge, an artist best known for his work at British video game house Sensible Software, with three pages currently complete: a Commodore PET, a Sinclair ZX Spectrum, and an Apple II – with 27 other systems as yet confirmed.

Continue reading