Microsoft and selected Linux distribution maintainers have released patches for a new Spectre Variant 1 vulnerability, dubbed SWAPGS, which allows for information disclosure even on a system running the existing Spectre security patches.
First publicly announced back in January last year, the Spectre family of vulnerabilities - related to, but separate from, Meltdown, which was specific to Intel processors - exploits hardware-based speculative execution functionality in modern processors. Added to improve performance by carrying out likely future instructions before they are actually requested, speculative execution opened a side-channel attack whereby malicious code can monitor certain aspects - typically the time it takes for selected permitted operations to complete - to infer the contents of otherwise-protected memory, capturing everything from passwords to encryption keys.
Spectre Variant 1 was patched soon after the public disclosure, though not without incident, and while various other Spectre variants have been discovered in the months since it was believed that the patch was sufficient to protect a system against Variant 1 exploitation - until the discovery of SWAPGS.
Communicated to operating system vendors by Intel, after its discovery and private disclosure by Bitdefender's Andrei Lutas, SWAPGS tweaks Spectre Variant 1 to allow for successful information disclosure even on a patched system. As with unmodified Spectre Variant 1, SWAPGS is capable of reading memory that would otherwise be out of reach of the malicious code - including code running on a virtual machine being able to read the memory contents of other virtual machines or the host system.
The flaw is reported to affect most modern processors from Intel, AMD, IBM, Arm, and Wave Computing's MIPS division, and has no workaround - but, thankfully, does have patches. Microsoft has released a fix for Windows 10, Windows 8.1, Windows 7, Windows RT 8.1, Windows Server 2008, Windows Server 2016, and Windows Server 2019, details of which are available on the company's security centre; Red Hat and other Linux distribution maintainers have announced patches of their own; and Google has issued an update for its Chromium OS and Chrome OS platforms.
While the flaw, as with vanilla Spectre Variant 1, exists within the processor hardware itself, the patch does not rely on a microcode update from CPU vendors to operate; it is also reported to have a minimum, though measurable for selected workloads, performance impact.
September 18 2020 | 18:30