(Image courtesy of Intel).
(Image courtesy of Intel).
(Image courtesy of Intel).
(Image courtesy of Intel).
(Image courtesy of Intel).

New Security Vulnerability Casts Shadow Over Intel

Aug. 17, 2018
New Security Vulnerability Casts Shadow Over Intel

Intel has been scarred by another major security glitch that takes advantage of the same technology behind the Meltdown and Spectre vulnerabilities. The new set of vulnerabilities, labeled Foreshadow, allows passwords and other confidential information to be swiped from memory caches in Intel’s processors.

On Tuesday, the Santa Clara, California-based company said it had released microcode to protect potentially vulnerable devices in personal computers and data centers. The company said that the changes, coupled with new updates for operating systems and hypervisor software made available on Tuesday, would protect most customers.

“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” said Leslie Culbertson, Intel’s head of product security, in a statement. “This includes keeping systems up-to-date and taking steps to prevent malware.”

Foreshadow, like Meltdown and Spectre, is possible because of speculative execution, which is used in high-performance chips to boost software speeds. It involves loading computing instructions ahead of knowing whether they are required. The hardware cheats, snooping into the small pool of memory within each processor and making guesses on what happens next. The new vulnerability targets the L1 cache inside Intel processors.

Guessing correctly means a running start for the processor, while guessing incorrectly leads to the information being thrown out. With Foreshadow, code trespassing inside the processor can fool the operating system into loading passwords, encryption keys and other secrets stashed in memory before the cache is emptied. Then the software can steal them.

“Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low,” said Culbertson, adding that the software lessens the threat to the majority of servers installed in data centers and most personal computers. “In these cases, we haven’t seen any meaningful performance impact,” she said.

Intel said that customers should take additional precautions against another version of the vulnerability that could bypass the protections in servers running applications on virtual machines in the cloud. That includes turning down multithreading in some cases, which could put the squeeze on performance. "For these specific cases, performance or resource utilization on some specific workloads may be affected and varies accordingly," said Culbertson.

The threat adds to Intel’s challenge of rebuilding goodwill with customers in the aftermath of the Meltdown and Spectre vulnerabilities, which stunned the semiconductor industry and touched many of the world’s computer chips. The company, which is currently trying to replace former chief executive Brian Krzanich, has faced harsh criticism for mishandling the release of software patches that reduced performance as an aftereffect.

Culbertson said that Intel’s next generation of server chips, Cascade Lake, to be released before the end of the year, were overhauled to protect against Meltdown, Spectre and Foreshadow. The company said that the changes would limit the performance losses. That could also get customers to start paying for new hardware, which would boost revenue ahead of Advanced Micro Devices putting out rival products for data centers.

Sponsored Recommendations

Understanding Thermal Challenges in EV Charging Applications

March 28, 2024
As EVs emerge as the dominant mode of transportation, factors such as battery range and quicker charging rates will play pivotal roles in the global economy.

Board-Mount DC/DC Converters in Medical Applications

March 27, 2024
AC/DC or board-mount DC/DC converters provide power for medical devices. This article explains why isolation might be needed and which safety standards apply.

Use Rugged Multiband Antennas to Solve the Mobile Connectivity Challenge

March 27, 2024
Selecting and using antennas for mobile applications requires attention to electrical, mechanical, and environmental characteristics: TE modules can help.

Out-of-the-box Cellular and Wi-Fi connectivity with AWS IoT ExpressLink

March 27, 2024
This demo shows how to enroll LTE-M and Wi-Fi evaluation boards with AWS IoT Core, set up a Connected Health Solution as well as AWS AT commands and AWS IoT ExpressLink security...

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!