agsandrew - stock.adobe.com

Intel releases fix for latest chip security flaws

Businesses and consumers are advised to download security updates from Intel for new security flaws that could allow attackers to access protected data, but some cloud providers could see a performance impact

Intel has released firmware and software updates to mitigate newly discovered security flaws in all the company’s processors produced since 2015.

This is the third major security vulnerability in Intel processors to be discovered this year, after Meltdown and Spectre in January.

The chipmaker developed the security update after researchers reported a new attack, dubbed Foreshadow, which uses techniques similar to the Meltdown attack discovered seven months ago.

Intel discovered two further related flaws after the Foreshadow attack was reported by researchers at the universities of Leuven, Adelaide and Michigan.

According to Intel, the Foreshadow attack is a speculative execution side-channel method that affects select microprocessor products supporting Intel Software Guard Extensions (SGX).

A successful exploitation of the vulnerability would allow attackers to access any data, such as encryption keys, stored in protected enclaves in memory created using SGX.

Researchers at Ohio State University reported a Spectre-like attack in March that could expose the contents of secure enclaves, but Intel said existing mitigations for Spectre and Meltdown, in conjunction with an updated software development toolkit for SGX application providers, would block the attack.

“Intel is committed to product and customer security and to coordinated disclosure. We worked closely with other technology companies, operating system and hypervisor software vendors, developing an industry-wide approach to mitigate these issues promptly and constructively,” the company said.

Intel has advised users and systems administrators to check with their hardware and software suppliers for available updates and apply them as soon as practical, but said it was not aware of any of these methods having been used in real-world exploits.

A full list of affected hardware and other information related to the newly discovered flaws has been posted on Intel’s website.

According to the chipmaker, the design of future processors will be altered to eliminate the vulnerability exploited by Foreshadow and related attack methods.

Disabling processor features

The Intel security updates, aimed at mitigating Foreshadow and related attacks, work by disabling some of the features in vulnerable processors.

Intel said there would be “no meaningful” performance impact for the majority of PCs with non-virtualised operating systems, nor for many datacentre workloads with non-virtualised environments or where it can be guaranteed that all virtualised guest operating systems have been updated.

However, the company said performance might be affected on some datacentre workloads where it cannot be guaranteed that all virtualised guest operating systems have been updated.

This means that some companies running cloud computing platforms could see a performance impact of up to 30%, but Amazon, Google and Microsoft have all announced they have applied the updates.

Although details of Foreshadow and the related attacks have been made public only now, the updates have been available since May, but it is unknown how widely they have been applied, according to the Financial Times.

Read more about Spectre and Meltdown

 

Read more on IT risk management