The biggest news out of the tech world early this year was the discovery of massive chip vulnerabilities that affect almost every computer, smartphone, tablet and laptop that utilizes a modern processor from manufacturers like Intel, AMD and ARM.
The security issues, known as Meltdown and Spectre, are probably the worst bugs found in processors ever and they might fundamentally change how chips will be designed moving forward.
But if those aren’t scary enough, it looks like another critical processor flaw has been discovered.
Read and learn why this new weakness is as bad as Spectre and Meltdown.
Foreshadow – the newest chip flaw
Security researchers have discovered another flaw in Intel chips and like Spectre, this one can allow attackers to read and steal sensitive information by exploiting a process called “speculative execution.”
Intel confirmed that the flaw, dubbed as Foreshadow, affects its chip security technology called Software Guard Extensions (SGX). This tech has been implemented in new Intel chips since 2015, including Skylake and Kaby Lake processor chips.
The company said it was first informed of the Foreshadow flaw by two sets of researchers in January 2018. Its own researchers confirmed the findings and they also found additional variants that affected SGX-enabled chips that run virtual machines. (These flaws are documented as CVE-2018-3620 and CVE-2018-3646.)
This is definitely bad news for vendors and software developers who are still currently struggling to patch the older Spectre and Meltdown flaws.
Speculative execution: the heart of these flaws
Like Meltdown and Spectre. Foreshadow also exploits a process called “speculative execution,” a capability built into every modern processor.
This process makes chips faster by allowing them to predict what tasks your gadget may need and execute them beforehand whether you actually need a task or not. If a task is not needed, then it is discarded.
Due to how data is being cached in these areas, hackers can then read and steal sensitive information such as passwords, encryption keys, login info and even files. Anything cached is fair game.
Ironically, Intel’s SGX tech is actually designed to prevent speculative execution exploits but the security researchers found a way to circumvent the protection and create an exact copy of the SGX’s secure buffer (known as the enclave) at an exposed area of a processor’s memory where an attacker can access it.
The worst part is that since this process is being used as a core optimization technique by all modern chips, all these processor flaws will potentially change everything and it will require a redesign of how chips work.
Affected Intel chips
Here is a list of processors that are known to be vulnerable to the Foreshadow flaw. If you have an Intel system that’s after late 2015, you are most likely affected:
- Intel Core i3/i5/i7/M processor (45nm and 32nm)
- 2nd/3rd/4th/5th/6th/7th/8th generation Intel Core processors
- Intel Core X-series Processor Family for Intel X99 and X299 platforms
- Intel Xeon processor 3400/3600/5500/5600/6500/7500 series
- Intel Xeon Processor E3 v1/v2/v3/v4/v5/v6 Family
- Intel Xeon Processor E5 v1/v2/v3/v4 Family
- Intel Xeon Processor E7 v1/v2/v3/v4 Family
- Intel Xeon Processor Scalable Family
- Intel Xeon Processor D (1500, 2100)
Patch your system to protect yourself
Fortunately, similar to the Spectre and Meltdown flaws, the Foreshadow vulnerability is difficult to execute so large-scale attacks are still not imminent right now.
And although the Foreshadow flaw was just recently revealed, Intel already issued firmware patches to vulnerable systems earlier this year. The company is also releasing updated patches on Tuesday.
Recent operating system updates from Microsoft also have patches to protect Windows systems against it. As usual, make sure you grab the latest updates for your system as soon as you can.
And don’t forget – Always follow computer safety basics
Aside from keeping your gadgets updated with the latest software, following basic computer safety practices should protect you from these threats.
Since these flaws still require malicious code to execute on your computer or gadget, avoid clicking on unknown links and attachments on emails and refrain from installing software and apps from unofficial sources.
Finally, as bad as these flaws look, there’s actually no real reason to panic.