CybersecurityIntel processor vulnerability could expose millions of PCs at risk
A newly discovered processor vulnerability could potentially put secure information at risk in any Intel-based PC manufactured since 2008. It could affect users who rely on a digital lockbox feature known as Intel Software Guard Extensions, or SGX, as well as those who utilize common cloud-based services, a new report says.
A newly discovered processor vulnerability could potentially put secure information at risk in any Intel-based PC manufactured since 2008. It could affect users who rely on a digital lockbox feature known as Intel Software Guard Extensions, or SGX, as well as those who utilize common cloud-based services, a new report says.
Researchers at the University of Michigan, the Belgian research group imec-Distrinet, Technion Israel Institute of Technology, the University of Adelaide and Data61 identified the SGX security hole, called Foreshadow, in January and informed Intel. That led Intel to discover its broader potential in the cloud. This second variant, Foreshadow-NG, targets Intel-based virtualization environments that cloud computing providers like Amazon and Microsoft use to create thousands of virtual PCs on a single large server.
Michigan says that Intel has released software and microcode updates to protect against both varieties of attack. Cloud providers will need to install the updates to guard their machines. On an individual level, the owners of every SGX-capable Intel PC manufactured since 2016 will need an update to protect their SGX. Some of these updates will be installed automatically while others will need to be installed manually, depending on how a machine is configured.
To be demonstrated Aug. 16 at the Usenix Security Symposium in Baltimore, the flaw is similar to Spectre and Meltdown, the hardware-based attacks that shook the computer security world in early 2018. Researchers were able to break several security features that are present in most Intel-based machines.
“SGX, virtualization environments and other similar technologies are changing the world by enabling us to use computing resources in new ways, and to put very sensitive data on the cloud—medical records, cryptocurrency, biometric information like fingerprints,” said Ofir Weisse, graduate student research assistant in computer science and engineering at U-M and an author on the paper presented at Usenix. “Those are important goals, but vulnerabilities like this show how important it is to proceed carefully.”
The attacks and their targets
The Software Guard Extensions feature that the Foreshadow demonstration attack targets is not widely used today. Used by just a handful of cloud providers and a few hundred thousand customers, it’s lying dormant on the vast majority of computers equipped
