A new security vulnerability has been found in Intel’s family of Core processors, along similar lines of the major Spectre bug that has been making headlines all year. Thankfully, this one appears to be less severe – and is already patched in modern versions of Windows and Linux.
The freshly-discovered hole is known as the ‘Lazy FP state restore’ bug, and like Spectre, it is a speculative execution side channel attack. Just a few weeks back, we were told to expect further spins on speculative execution attack vectors, and it seems this is one.
Intel explains: “Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.”
What that means is theoretically the flaw can be exploited to pilfer data from running applications, and worryingly, that potentially includes encryption operations, as ZDNet reports. All Intel Core chips are vulnerable regardless of the platform they’re running on.
The good news is that severity of this attack is only rated as ‘moderate’ by Intel, as it’s tricky to exploit, and also easy to fix. Indeed, modern versions of both Windows and Linux – that includes Windows 10 and Windows Server 2016, and any Linux distro which employs the Linux 4.9 kernel or better – are believed to be safe from this vulnerability already.
OpenBSD and DragonflyBSD are also bulletproof, plus a fix has already been issued for FreeBSD.
Windows 2008 Server users, however, will need to install a patch to protect themselves. And despite this not being rated as a critical vulnerability, you’ll certainly want to get things patched as soon as possible.
As we’ve already mentioned, there are likely to be more of these speculative execution side channel attacks discovered, and 2018 is set to be a lively year on the security front, to say the least.