Microsoft quietly patched a Spectre-style vulnerability in Intel chips that could expose user data

In brief: It seems that Spectre and Meltdown are still haunting Microsoft. The company last month silently pushed out an update that mitigated a "serious security flaw in Intel processors" made since 2012.

As with Spectre and Meltdown, the vulnerability takes advantage of speculative execution, a function that anticipates and executes instructions before any commands are received, thereby increasing CPU performance.

Researchers from security firm Bitdefender discovered and reported the newly disclosed side-channel attack to Intel 12 months ago. Attackers could use it to steal data from the system kernel, potentially exposing encryption keys, passwords, session tokens, private chats, and more.

Intel dismissed the initial report of the issue, saying it already knew of the vulnerability and had no plans to fix it, but Bitdefender provided a proof-of-concept attack that showed how it could be exploited and the flaw was disclosed at the Black Hat security conference yesterday. It exploits the SWAPGS kernel-level instruction set, which was introduced with Ivy Bridge processors back in 2012.

Additionally, the SWAPGS vulnerability (tracked as CVE-2019-1125) allows attackers to avoid kernel page table isolation, which is used to mitigate against speculative-execution flaws such as Meltdown and Spectre.

"To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application," Microsoft explained, in their advisory. "The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further."

Microsoft patched the vulnerability in July's Patch Tuesday updates. Ars Technica reports that the fix works by changing how the CPU speculatively accesses memory, and it doesn't require a microcode update from computer manufacturers.

"We're aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers. We released security updates in July, and customers who have Windows Update enabled and applied the security updates are protected automatically," wrote a Microsoft rep.

While Red Hat said both Intel and AMD chips were affected by the vulnerability, Bitdefender said the two AMD processors they tested did not exhibit speculative behavior for the SWAPGS instruction.

AMD gave the following statement:

AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.

Bitdefender director of threat research and reporting, Bogdan Botezatu, told Ars that the most likely scenario for exploitation would be a state-sponsored attack on a cloud service as it could affect multiple virtual machines running on the same CPU.

"Don't think of this as the next big tool to exploit ransomware or regular malware, because it doesn't go like that. A side-channel attack is time consuming and it requires hours to pluck information from the CPU. For a cyber criminal trying to get their hands on quick information, there's phishing," Botezatu explained.

"But for a state-sponsored threat actor, targeting a high profile organisation, this thing is gold. Because they have all the time in the world to make guesses and this kind of attack doesn't leave an any forensic traces on computers," he added.