Details of the first of the second wave of Spectre-style vulnerabilities in Intel processors has been published earlier than expected, with the "LazyFP" vulnerability potentially allowing an attacker to access sensitive data, such as cryptographic keys.
Part of a secondary collection of processor vulnerabilities discovered following the Spectre and Meltdown disclosures, LazyFP (CVE-2018-3665) was originally found by researchers working for Amazon and Cyberus Technology earlier this year. As part of the process of responsible disclosure, details of the flaw were provided to Intel and other related firms, with a release to the public scheduled after a defined period of time had taken place.
In May, it was reported Intel had successfully negotiated with researchers to delay the release by a few weeks, but wanted to push it further back, potentially until July. According to Cyberus, the embargo was set to lift in August, but rumors of the vulnerability forced an earlier disclosure, possibly to try and pressure Intel and other vendors to work faster in creating and implementing a solution.
While the LazyFP whitepaper explaining the issue is being withheld, following a request by Intel, some details about how the vulnerability works have been issued.
LazyFP centers around the use and abuse of the Floating Point Unit (FPU), and associated registers in the processor. To enable multitasking, the FPU needs to be able to store its state in order to switch between tasks.
Using what is described by Intel as a "Lazy FP state restore technique," the restoration of an FPU's state can be delayed until an instruction operating on it is executed by a new process. "Eager FPU switching" saves the state on a context switch without any delay, whereas the "lazy" version is an optimized way that accounts for processes that don't use the FPU all the time.
While the details of the attack are not explained, it is suggested it is based on the manipulation of the FPU and how it holds data while the Lazy FP technique is used.
According to Intel's advisory report on the vulnerability, it has a severity rating of "moderate," and is described as affecting "Intel Core-based microprocessors," but not specific models. There is also no mention of which operating systems are affected by the vulnerability.
In a statement to AppleInsider, Intel said the "Lazy FP state restore" is similar to Variant 3a and has already been addressed for "many years" in client and data center products.
"Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks," Intel said. "We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well."
It is unknown if Apple has been affected by the flaw, but as all current Macs and MacBooks use Intel processors and have done for a number of years, it is still plausible. Apple usually posts details about the vulnerabilities it fixes in its software on its security updates page, but there doesn't appear to be a reference to the latest disclosure as of yet.
Revealed in January, the Meltdown and Spectre chip flaws in Intel and ARM-based processors allowed the creation of a number of exploits in systems using the components. All Mac and iOS devices were found to be affected by the issue, but Apple advised at the time it had already mitigated the issues for current operating system versions, and was working to develop other fixes.
The more recent batch of eight similar security flaws were found to be caused by the same design-related issue, and includes four classified by Intel as "high risk." While seven of the eight are thought to have the same impact as Spectre, the eighth is thought to be a greater threat against enterprise systems, in being able to allow attackers to exploit a virtual machine to attack the host.
Updated with statement from Intel.