'Foreshadow' attack affects Intel chips

  • Published
Intel logoImage source, Getty Images
Image caption,
The flaw affects chips made from 2015, but will be fixed in future models, Intel said

Researchers have found another serious security flaw in computer chips designed by Intel.

Nicknamed Foreshadow, this is the third significant flaw to affect the company’s chips this year.

The US government’s body for computer security said “an attacker could exploit this vulnerability to obtain sensitive information”.

Intel has released a patch which mitigates the problem, which affects processors released from 2015 onwards.

A full list of affected hardware has been posted on Intel's website.

"We are not aware of reports that any of these methods have been used in real-world exploits,” the firm said.

“But this further underscores the need for everyone to adhere to security best practices.”

It said future processors would be built in such a way as to not be affected by Foreshadow. News of the vulnerability followed two similar attacks - Spectre and Meltdown - that were discovered earlier this year. Collectively the flaws affected billions of computers around the world.

'Lock box'

Foreshadow was discovered by collaborative work by researchers from KU Leuven university in Belgium, the Technion-Israel Institute of Technology, and others from the universities of Adelaide and Michigan. After Intel was made aware of the attack, the chip firm then discovered two more related weaknesses.

"What our attack does is it uses techniques that are very similar to the Meltdown attacks from six months ago,” explained Prof Thomas Wenisch from the University of Michigan.

"But we discovered we could specifically target a lock box within Intel’s processors. It would let you leak any data you want out of these secure enclaves."

Intel had created its fix prior to details of the flaw being made public, and coordinated its response with the researchers on Tuesday. Its fix disables some of the features in its chips that were vulnerable to the attack the researchers discovered.

Companies running cloud computing platforms could see a significant hit to their collective computing power, as Intel's mitigation limits the extent to which the same processor can be used simultaneously for multiple tasks. On Tuesday, however, the biggest cloud services companies - Amazon, Google and Microsoft - all said they had put in place a fix for the problem.

Individual computer users are advised, as ever, to download and install any software updates available. The research team told the BBC it was unlikely that individuals would see any performance impact.

Intel’s stock was marginally down in after-hours trading on Tuesday.