Intel has warned of a new vulnerability in its Core processors dealing with speculative execution such as Meltdown. The leak, which is classified as ‘medium’ by the chipmaker, discloses information between processes.
He further states that it is possible to carry out the attack from a browser, but that abuse of the leak is a lot more difficult than at Meltdown. It would have taken Percival about five hours to write an exploit after attending a presentation on the subject. Several organizations have published advisories including Microsoft. The company writes that the ‘lazy restore’ technique is activated in Windows by default and can not be switched off. However, it does not provide information about affected Windows versions and states that it is still with information about it. Users of vm’s in Azure are not affected.
The Intel warning states that the use of ‘eager fp state restore’ prevents misuse of the leak. The Register notes that this technique since 2016 or version 4.9, is used in the Linux kernel, so that recent kernels are not vulnerable. Amazon says in an advisory that his AWS service has not been taken. Systems that run Xen have been affected but patches are available. Red Hat is also working on patches for RHEL 6 and lower .
Cyberus, one of the companies involved in reporting the leak, writes that it was actually the intention ] to announce the details only in August, but that information had already been published earlier. ZDNet, who spoke with Jon Masters of Red Hat, writes that no microcode patches from Intel are needed to close the leak. Masters states that the leak is ‘difficult to abuse and easy to seal’. There are no indications that Arm or AMD has been affected.