Microsoft, Google: We’ve found a fourth variant of Meltdown-Spectre CPU holes
Developing A fourth variant of the data-leaking Meltdown-Spectre security flaws in modern processors has been found by Microsoft and Google researchers.
These speculative-execution design blunders can be potentially exploited by malicious software running on a vulnerable device or computer, or a miscreant logged into the system, to slowly extract secrets, such as passwords, from protected kernel or application memory, depending on the circumstances.
Variants 1 and 2 are known as Spectre (CVE-2017-5753, CVE-2017-5715), and variant 3 is Meltdown (CVE-2017-5754). Today, variant 4 (CVE-2018-3639) will be disclosed by Microsoft and Google researchers. It affects modern out-of-order execution processor cores from Intel, AMD, and Arm, as well as IBM’s Power 8, Power 9, and System z CPUs. Bear in mind, Arm cores are used the world over in smartphones, tablets, and embedded electronics.
Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
The fourth variant can be potentially exploited by script files running within a program – such as JavaScript on a webpage in a browser tab – to lift sensitive information out of other parts of the application – such as personal details from another tab. According to Intel, mitigations already released to the public for variant 1, which is the hardest vulnerability to tackle, should make attacks leveraging variant 4 much more difficult. So far, no known exploit code is circulating in the wild targeting the fourth variant.
“Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” said Leslie Culbertson, Intel’s executive veep of product security.
“In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.
“Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today.”
According to Culbertson, Intel and others will issue new microcode and software tweaks to counter malware exploiting the fourth variant. These patches are being tested right now by computer and device manufacturers, we’re told. Interestingly, they are disabled by default, presumably because the risk of a successful attack is so low. It’s a tricky hole to fix, but also rather tricky to exploit. Another reason for the off-by-default state could be that Intel has struggled to put out stable Spectre updates in the past.
We need to go deeper: Meltdown and Spectre flaws will force security further down the stack
“To ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates,” the exec said.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.
“This mitigation will be set to off-by-default, providing customers the choice of whether to enable it or not. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2-8 per cent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client and server test systems.”
Red Hat today published a substantial guide to the fourth variant, its impact, and how it works.
Context switch
We note that, so far, no malware has been seen attacking any of the Spectre and Meltdown holes in today’s chips, including this latest variant, either because mitigations are widely installed making it largely fruitless, or it isn’t worth the effort seeing as there are plenty of privilege-escalation bugs to exploit to get into a kernel and other applications.
This is despite various techniques emerging to exploit the Spectre family of design flaws, such as the ones revealed earlier this month, and twice in March.
Also, to exploit these flaws, malware has to be running on a device, which isn’t always an easy task, unless you can trick a user into installing some bad code. Intel has proposed using graphics processors to scan physical memory for software nasties, such as Spectre-exploiting malware, during idle moments.
For us, these chip-level security bugs are a fascinating insight into the world of semiconductor engineering, where an intense focus on speed left memory protection mechanisms behind the dust. And into the world of operating system and compiler design, where programmers are scrambling to secure kernels and user-mode code for years to come.
Developing… more details to come.
Sponsored: Minds Mastering Machines – Call for papers now open
READ MORE HERE