‘Foreshadow’ could wreak havoc on the cloud
More flaws found in Intel chips could let hackers access sensitive information in computers or in the cloud.
Researchers found a vulnerability in January and reported it to Intel. The Silicon Valley chip giant then found two related flaws, and on Tuesday announced that it is releasing patches to the flaws, which are similar to Spectre and Meltdown. Those earlier flaws, disclosed at the beginning of the year, affected most computers around the world.
The newly disclosed flaws, dubbed Foreshadow and Foreshadow-NG, were discovered in Intel’s Core and Zeon processors released after 2015, and could affect computers running virtualization technology on the same third-party cloud. Cloud-service providers Amazon, Microsoft, Google, Oracle and VMWare on Tuesday outlined steps they’re taking to address the issue.
Intel said in a statement through a spokeswoman Wednesday that the flaws were “addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software” that are rolling out now.
The company also said the risk to computers not running virtualized operating systems is low, and that the flaw is hard to exploit.
“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, said in a blog post.
But Yuval Yarom, one of the researchers who discovered the flaw, told Wired that Foreshadow “is not an attack on a particular user, it’s an attack on infrastructure.”
The researchers are from KU Leuven University in Belgium, the University of Adelaide in Australia and the University of Michigan. They are scheduled to present their findings Wednesday at a security conference in Baltimore.
Intel and the researchers are urging computer users to download security updates to keep on top of the patches being released.
AMD said Tuesday that its chips are not vulnerable to the Foreshadow flaw.
Intel’s list of all affected chips can be found on its website. The company’s shares closed Wednesday down by about 1.4 percent at $47.46.