Intel Has a New Speculative Execution Issue: Foreshadow
The Meltdown and Spectre vulnerabilities revealed earlier this year showed how the quest to make CPUs run faster inadvertently introduced serious security vulnerabilities that could be used to access sensitive data. Now, researchers have unveiled a new attack called Foreshadow that builds on those speculative execution flaws, affecting millions of Intel processors made over the past five years. It's particularly dangerous because Foreshadow can be triggered from the user space and does not require a privileged attacker with root access.
The vulnerability has been kept under wraps since January as Intel has developed mitigations. Intel also found two variants of the Foreshadow attack, one of which could affect cloud-computing environments. While Foreshadow is serious, Intel says it expects its impact on consumers and enterprises in non-virtualized environments to be low. The chip manufacturer has issued microcode fixes all three variations of the vulnerability, two of which it believes have been sufficiently mitigated.
Intel, operating system and hypervisor vendors have issued update to mitigate the CVE-2018-3646 aspect of Foreshadow, but Intel says in some cases, more defensive steps may need to be taken.