New Speculative Execution Vulnerability in Intel Processors May Expose Encrypted Data

Intel processors have again caught the attention of cyber-security researchers in a negative way. A group of computer experts from Germany have reported this week the discovery of another vulnerability which affects the chips of the technology company and concerns the save/restore functionality for applications. However, luckily this time the issue seems minor and patches are already on the way.

Unlike Spectre, which is also a side-channel security vulnerability and which is up to this time not completely resolved, the new flaw can be fixed through patches in the operating system. Red Hat also claims the issue has moderate security impact and does not require microcode updates. The open-source software company is already working on a patch, and the problem will probably soon be fixed also at the Linux kernel level. Intel is, of course, aware of the issue as well, while Apple and Microsoft are likely to be developing their own solutions at this time with patches being released as soon as possible.

The researchers have dubbed the new vulnerability "lazy floating-point state restore," whereas officially the bug is known as CVE-2018-3665. Intel has come out with a description of the flaw, although the details are still scarce. According to the company, the Lazy FP state restore technique can be used by some system software to "delay the restoring of state until an instruction operating on that state is actually executed by the new process." Thus, the Lazy FP state restore could potentially allow a local process to infer data from another process by creating a speculative execution side channel in systems which use processors based on the Intel Core technology.

The "lazy restore" function for floating point state is used by many microprocessors when saving and restoring the state of applications in the internal memory when the user switches from one app to another. It is believed that this function improves the overall performance of the system.

The importance of fixing this newly discovered vulnerability seems huge as all processors starting with Sandy Bridge are affected by the security bug. Also, the information available on the flaw suggests that the Lazy FP state restore bug could be exploited to access sensitive information, and encrypted data in particular, which sounds really bothering for the majority of computer users out there. What is good in this case, is that the vulnerability concerns only Intel processors whereas AMD chips seem unaffected. Users should make sure they have installed the latest updates of their operating system in order to avoid any data exposure resulting from this new lazy FP state restore bug.