A new global vulnerability of Intel chips has been discovered with the help of Australian research.
Cyber security is a major concern of the digital age, not only for defence and big business but also the broader public. Protecting us m potential cyber attacks increasingly means anticipating potential vulnerabilities, requiring continuous research to stay ahead of potential flaws as these become evermore complex.
This year we had already Spectre and Meltdown, major threats to modern microprocessors that use a feature called speculative execution, which is a sophisticated way to speed up processing performance.
Essentially, with speculative execution the computer allocates some of its resources to speculating which tasks may be needed in the execution of a program, and then to confirm or discard them again.
However, after Spectre and Meltdown the feature is again involved in a cyber security risk discovered independently by two international teams of academics and industry specialists, including Dr Yuval Yarum from CSIRO's Data61 and the University of Adelaide.
Called Foreshadow, the vulnerability exploits another new feature of Intel chips called Software Guard Extension (SGX) that is actually meant to help protect user data. These are placed in a secure area of the computer's memory to which its operating system can't get access to.
The idea is that the data remains secure even after after an attack has taken over the host system.
However, Foreshadow highlights that through the speculative execution process it is possible to extract sensitive information, such as fingerprints used in biometric authentication, from the SGX protected memory.
Being informed of the vulnerability, Intel has since discovered a variant of Foreshadow called Foreshadow-NG, which affects nearly all Intel servers used in cloud computing, and potentially bypasses earlier fixes against the Spectre and Meltdown vulnerability.
According to Dr Yarum, the discovery of the Foreshadow-NG variant is even more severe than Foreshadow "but will require further research to gauge the full impact of the vulnerability."
Intel has now released patches, updates and guidelines to resolve both Foreshadow and Foreshadow-NG.