Intel has not been having a good time of it in 2018.
The first half of the year revealed the Spectre and Meltdown chip flaws, that had Intel and its partners scrambling to patch flaws that exposed sensitive data to hackers. Now, there are more.
Intel has just disclosed three new flaws it¡¯s dubbed ¡®Foreshadow¡¯ aka L1 Terminal Fault aka L1TF. They¡¯re composed of three vulnerabilities in the company¡¯s Core and Xeon processor series. The flaws are divided into two variants called Foreshadow and Foreshadow: Next Generation.?
Foreshadow acts against the Intel Software Guard Extension, which was designed specifically to hide and protect select code and user data from changes. Basically, it¡¯s a sort of buffer to prevent someone tampering with your software. While SGX was designed to be be immune to Spectre and Meltdown, the tradeoff appears to be that hackers can use the new Foreshadow flaw to gain access to data in the L1 cache ( smaller and faster memory used by the CPU to expedite accessing memory).
ALSO READ:?Meltdown & Spectre: How To Protect Yourself From The Intel, AMD, ARM Chip Security Exploits
In essence, an SGX enclave is meant to store all your secure data in a vault while running a software. But with Foreshadow, a hacker could access this data by simply creating a ¡°shadow copy¡± of the enclave instead of trying to crack into it.?
Foreshadow Next Generation, meanwhile, is composed of wo vulnerabilities that target virtualised environments used by large cloud computing platforms. A hacker can use these particular flaws to dissolve the boundaries between one client's virtual machine and another in a data center. They can then read then read whatever is in the memory of another user on the same server.
The worst part is that the flaw is entirely Intel¡¯s fault. According to security researchers, the flaws were accidentally built in as Intel focused more on performance than security. They¡¯ve optimised their processors to pre-fetch computing instructions and save processing time. Foreshadow abuses this to also fetch otherwise secure data.
Strangely enough, Intel has announced the existence of Foreshadow, in partnership with Microsoft, Red Hat, and academic researchers, before a patch is even ready. The company justifies that they¡¯ve not seen a real-world usage of this flaw just yet, so they¡¯re not too worried. A temporary patchfix should be available fairly soon, but a real solution will have to wait for the new Cascade Lake chips coming later this year.