After Spectre and Meltdown, a brand new security vulnerability – called Spoiler – has been discovered. This vulnerability was discovered by the Worcester Polytechnic Institute and the University of Lübeck and affects all Intel CPUs (from 1st generation Core CPUs to the latest ones).
According to the report, Worcester Polytechnic Institute and the University of Lübeck have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes.
“The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments.
The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available,” said Moghimi. “Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks.”
What’s really important here is that according to the researchers, and unlike Spectre, a solution via a software update is virtually impossible. As such, Intel will have to adjust its CPU architecture in order to prevent this new security vulnerability.
Last but not least, Spoiler affects only Intel’s CPUs and not AMD’s CPUs. All of AMD’s CPUs are safe and are not affected by this new security vulneratiblity.
Kudos to our reader “Metal Messiah” for bringing this to our attention!
An Intel spokesperson got in touch with us and shared the following statement about Spoiler.
“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”