It’s been almost two years since the Spectre and Meltdown vulnerabilities affecting Intel processors and some other chips were revealed. Since then Intel has released a number of security patches meant to mitigate the effect of those vulnerabilities and the chip maker says its latest processors include hardware-based mitigations.
But similar vulnerabilities keep popping up, and there’s mounting evidence that the issue isn’t going to be easy to fix without completely redesigning the way modern processors work.
This week security researchers revealed a set of previously undisclosed vulnerabilities affecting Intel chips — and also pointed out that some of Intel’s previous “fixes” didn’t address all known issues at the time.
The researchers say that when Intel released a set of mitigations in May, 2019 to address the RIDL vulnerability, the update was only a partial fix. Computers with the latest security updates were still vulnerable to certain types of known vulnerabilities which could allow an attacker to access protected data.
Intel had asked the team to hold off on disclosing the vulnerability until security patches were available — but after finding that Intel continued to claim that its latest updates were adequate, this week the researchers decided to call out Intel for over-promising the effectiveness of its security updates.
At issue are side-channel attacks that take advantage of a chip feature called speculative execution. In a nutshell, many modern processors make an educated guess about some of the things they’re going to need to do, and do them ahead of time… even before you explicitly ask them to do that work. Side-channel attacks allow data that’s being processed or stored in this way to be accessed.
One solution is to simply disable speculative execution altogether. But that would have a dramatic impact on performance in some situations — effectively erasing years of progress in making computer processors work more quickly.
So rather than address the root causes, Intel has been working on patches to address specific side-channel vulnerabilities as they’re discovered/disclosed. If that seems like an uphill battle, that’s because it is… and there’s always the chance that some black hat hackers will discover a vulnerability that Intel isn’t aware of and exploit it before a patch can be made available.
So maybe insecurity is the new normal.