CLOSE
CLOSE
https://www.sikich.com

Another Processor Security Flaw

Intel is arguably one of the most well-known technology manufactures in the world. They create the CPUs that are in the majority of computers, they’ve laid the foundation for many storage technologies most companies use today, and they’ve had their hand in almost anything computer related over the last several decades. But as any other technology firm, Intel, too, is prone to security problems.

Just a few weeks ago, Intel disclosed another speculative execution side-channel flaw in their processors called “Microarchitechtural Data Sampling” or MDS for short. Intel said this affects the majority of their processors, with the exception of their 8th and 9th generation chips. This likely means you have a fair amount of systems affected in your business. Intel has assigned a total of four CVE numbers to the flaws:

  • CVE-2018-12126,
  • CVE-2018-12130,
  • CVE-2018-12127, and
  • CVE-2019-11091.

Luckily, if you replace all of your computers on a regular two or three year cycle, you may not be affected much, if at all, by this problem.

This is not the first speculative execution style security flaw Intel has had to deal with. Back at the start of 2018, Intel had to deal with two similar security flaws called Spectre and Meltdown. These are flaws that are still large concerns even today, 18 months after their discovery.

What is Speculative Execution?

So, what exactly is this “Speculative Execution” feature of CPUs anyway, and why does it seem so insecure? This may sound a bit farfetched, but “Speculative Execution” is exactly what it sounds like. It’s your CPU attempting to predict the future in order to work faster. Essentially, if the processor knows that your program will request either A or B, it will go ahead and process the result for both, so it knows the answer as soon as the program requests what it wants. This is similar to how you might slow your car down as you approach a green light, in case that light turns red. You are speculating that something may happen, and you prepare for it, just as the CPU speculates something may happen and prepares for it.

This is dangerous is because hackers can write malware that take advantage of this in order to bypass security measures on your system.

In order to understand why these security flaws are so difficult to fix, you must first understand they are not like your typical security flaw in a program. If Microsoft found a security flaw in Windows, they would simply adjust the computer code with a patch to eliminate the flaw. But how do you write a patch to fix the physical layout of how electricity is running inside of your computer processor?

One such way is by disabling the Hyper-Threading feature of your CPU. Intel recommends this as a work around for those affected by the flaw. We will likely also see firmware and microcode updates released over the coming months to adjust how software interacts with the hardware to mitigate this problem further.

You can check to see if any such updates have been released for your CPU by visiting https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html.

Security can be difficult, and often times scary. Sikich can help! If you need assistance reviewing to see if your computers are affected by the MDS flaw, or applying patches as they come out, feel free to contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author