Intel has been scarred by another major security glitch that takes advantage of the same technology behind the Meltdown and Spectre vulnerabilities. The new set of vulnerabilities, labeled Foreshadow, allows passwords and other confidential information to be swiped from memory caches in Intel’s processors.
On Tuesday, the Santa Clara, California-based company said it had released microcode to protect potentially vulnerable devices in personal computers and data centers. The company said that the changes, coupled with new updates for operating systems and hypervisor software made available on Tuesday, would protect most customers.
“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” said Leslie Culbertson, Intel’s head of product security, in a statement. “This includes keeping systems up-to-date and taking steps to prevent malware.”
Foreshadow, like Meltdown and Spectre, is possible because of speculative execution, which is used in high-performance chips to boost software speeds. It involves loading computing instructions ahead of knowing whether they are required. The hardware cheats, snooping into the small pool of memory within each processor and making guesses on what happens next. The new vulnerability targets the L1 cache inside Intel processors.
Guessing correctly means a running start for the processor, while guessing incorrectly leads to the information being thrown out. With Foreshadow, code trespassing inside the processor can fool the operating system into loading passwords, encryption keys and other secrets stashed in memory before the cache is emptied. Then the software can steal them.
“Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low,” said Culbertson, adding that the software lessens the threat to the majority of servers installed in data centers and most personal computers. “In these cases, we haven’t seen any meaningful performance impact,” she said.
Intel said that customers should take additional precautions against another version of the vulnerability that could bypass the protections in servers running applications on virtual machines in the cloud. That includes turning down multithreading in some cases, which could put the squeeze on performance. "For these specific cases, performance or resource utilization on some specific workloads may be affected and varies accordingly," said Culbertson.
The threat adds to Intel’s challenge of rebuilding goodwill with customers in the aftermath of the Meltdown and Spectre vulnerabilities, which stunned the semiconductor industry and touched many of the world’s computer chips. The company, which is currently trying to replace former chief executive Brian Krzanich, has faced harsh criticism for mishandling the release of software patches that reduced performance as an aftereffect.
Culbertson said that Intel’s next generation of server chips, Cascade Lake, to be released before the end of the year, were overhauled to protect against Meltdown, Spectre and Foreshadow. The company said that the changes would limit the performance losses. That could also get customers to start paying for new hardware, which would boost revenue ahead of Advanced Micro Devices putting out rival products for data centers.