[ad_1]
A hot potato: In a security advisory, Intel has revealed today that new vulnerabilities have been discovered in its processors. This new batch of CPU faults is another type of speculative exploitation of Fallout, RIDL and ZombieLoad. As discussed, in a post-spectrum computing world, more and more of these defects will appear and, as the evidence suggests, there is no need to slow them down.
We have come to learn more about speculative execution since the discovery of the first flaws of Meltdown and Specter. The performance enhancement feature found in modern CPU architectures allows the CPU to process the data before it is actually requested by a program or a user. The advantage is that the processor can simultaneously process more data instead of remaining idle if resources are available. In trying to predict a result, CPUs can perform certain tasks in advance, which greatly speeds up system performance.
What no one foresaw was, however, that speculative execution would open the door to many indescribable vulnerabilities that can not be solved immediately but can be mitigated. According to RIDL (Rogue In-Flight Data Load) and the Fallout Information Web site (see also, ZombieLoad), these new vulnerabilities allow hackers to flee confidential data by exploiting MDS secondary channel vulnerabilities (Microarchitect Data Sampling) in Intel processors. Unlike earlier vulnerabilities of the Meltdown, Specter and Foreshadow processor, leaks do not occur at the processor cache, but target arbitrary flight data from internal CPU buffers. Qualcomm and AMD processors are not affected by these defects.
In terms of practical use, security researchers claim that an attack could be launched using malicious JavaScript in a web page or from a co-located virtual machine in the cloud, allowing them to disclose confidential data on your system, such as passwords or cryptographic keys. These would require some level of local (unprivileged) access, but it is not an excuse to take the flaws lightly.
Intel is naturally more reserved about reporting the severity of faults. In this case, it seems that they have already identified the flaws internally and that Intel's security researchers are actively working to reduce emissions. "The hands-on operation of MDS is a very complex undertaking – MDS itself does not provide an attacker with a way of choosing the data that is disclosed."
According to Intel, the defects of MDS have been corrected in the hardware on to select 8th and 9th generation processors and 2nd generation Intel Xeon processors. Older hardware (7th generation and under) will receive updates from the processor microcode (which we know takes time to make available to the end user), in addition to updates at the same time. operating system and hypervisor software.
Regarding the potential impact on performance, Intel states that "when these measures are enabled, minimal performance impacts are expected for the majority of performance tests based on PC client applications. Use of resources on some datacenter workloads may be affected and vary accordingly. " The analysis of Intel's internal benchmark data shows that data center and storage-sensitive workloads are the most likely to be affected.
There is some conflicting information about hyper-threading, with some researchers suggesting that it should be completely disabled on Core processors from the previous generation. Google's Chrome OS 74 disables Hyper-Threading by default and should provide additional mitigation measures in the next release. Intel is not so resolved about it, stating that it does not recommend disabling HT, but users who "can not guarantee that secure software will run on their system" can consider disabling it. Again, who can fully guarantee your web browser and every website you visit is completely secure.
Another contradictory piece of information concerns affected processors, with Intel claiming that 9th-generation Core processors are clear, while Fallout's fault group says Intel's "hardware countermeasures in Coffee Lake processors Refresh i9 to prevent Meltdown more vulnerable to Fallout, compared to the hardware of the previous generation. "
Major OEMs and software vendors have been aware of these vulnerabilities for some time and have published or are in the process of posting patches. Microsoft has released software updates to help mitigate these vulnerabilities, although the full universe of hardware is not yet covered, depending on the availability of relevant microcode updates. The Amazon AWS cloud service has already been fixed. Apple has released a security patch for macOS Mojave, which fixes most Mac and MacBook related issues. Google has confirmed that almost no Android device is affected (mainly based on SoC ARM), but Chromebooks have already been fixed with mitigation measures.
As with previous processor issues, it is necessary to install operating system updates, software and firmware / microcode.
[ad_2]
Source link