A new vulnerability found in the newest Intel processors
The "Spectre" vulnerability that impacts literally every Intel chip made over the last decade keeps finding new ways to make the news. In this instance, researchers at Ohio State University have discovered a new variant of the vulnerability that they have dubbed "SGX Spectre." To understand how it's different, a bit of explanation is in order.
SGX stands for "Software Guard eXtensions," and is a feature only found in the latest Intel processors. It allows applications to create "data enclaves," which are hardware-isolated portions of a CPU's processing memory. The purpose of such enclaves is to give applications a secure space to run operations that deal with especially sensitive data, like passwords and encryption keys.
The new Spectre patches are powerless
The original Spectre and Meltdown vulnerabilities were unable to extract any data from SGX enclaves, but SGX Spectre can. Even worse, the recent Spectre patches will do nothing to prevent it.
Intel has announced that on March 16, it will release an update for its SGX SDK that adds SGX Spectre mitigations. App developers will need to integrate the update into their SGX-capable apps and issues an update to all users.
The research team had this to say about the recent discovery:
"SgxPectre Attacks can completely compromise the confidentiality of SGX enclaves. Because vulnerable code patterns exist...and are difficult to be eliminated, the adversary could perform SgxPectre Attacks against any enclave programs.
Because there are vulnerable code patterns inside the SDK runtime libraries, any code developed with Intel's official SGX SDK will be impacted by the attacks. It doesn't matter how the enclave program is implemented."
Our persepctive
In addition to the discovery of SGX Spectre, the research team discovered new variations of the original security flaws, which they have dubbed MeltdownPrime and SpectrePrime, respectively. Needless to say, more patches will be forthcoming.
Thanks for reading this post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.
Denis S Wilson
I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller, fast-growth companies in Greater Los Angeles. And have created cost-effective IT solutions, including managed IT support systems, for small business for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs to business and professional associations.
Check out this blog post
"Cyber Security Check List That Will Underscore Your Potential Business Risks"
