Windows Quietly Patches Bug That Could Reverse Meltdown, Spectre Fixes For Intel CPUs

Photo: Charles Krupa, AP

Microsoft has fixed a “serious security flaw in Intel processors” that threatened to undo both companies’ work patching the Spectre and Meltdown vulnerabilities, Tom’s Guide reported on Wednesday.

Spectre and Meltdown was a massive flaw in the way Intel processors handled speculative execution, a technique used in modern processors to enhance performance, that was first revealed in 2018. Speculative execution relies on predicting which calculations a processor will need to perform in advance, allowing it to work on tasks in advance and in parallel fashion rather than strictly sequentially.

Unfortunately, it turned out an unfixable hardware flaw in virtually every one of Intel’s CPUs meant that they didn’t check permissions correctly and leaked information about speculative commands that were never run, possibly allowing an attacker glimpses at ultra-sensitive kernel memory.

The issue hit Intel by far the hardest, but also competitors like AMD and ARM to a lesser degree. Patches have since been issued, but at around the same time researchers for security firm Bitdefender discovered a related issue that threatened to make the patches useless for Windows machines, Tom’s Guide wrote.

Bitdefender researchers revealed their findings at the Black Hat security conference in Las Vegas on Wednesday, almost exactly a year to the date after finding it.

According to Tom’s Guide, the “flaw affects a system instruction in 64-bit Windows called SWAPGS, a kernel-level instruction set introduced with Intel’s Ivy Bridge processors in 2012 that can be speculatively executed in user mode.”

That in and of itself violated separation of system and user functions, and by manipulating this flaw an attacker could steal data from the system kernel (potentially exposing everything from passwords and encryption keys to other protected data). Tom’s Guide wrote that the vulnerability also introduced a potential workaround to security fixes introduced in the wake of the Meltdown and Spectre mess:

Most importantly, the SWAPGS flaw allows attackers to completely bypass kernel page table isolation (KPTI), the most widely used method of staving off Meltdown and Spectre attacks, as well as all other mitigations for speculative-execution flaws.

It’s likely that Bitdefender researchers were the first to discover this flaw, but as the Bitdefender press release stated, “It is possible that an attacker with knowledge of the vulnerability could have exploited it to steal confidential information.”

Bitdefender researchers found that the vulnerability (tracked as CVE-2019-1125) affected Microsoft machines using modern Intel processors, which Microsoft fixed in a silent update on Wednesday.

According to Ars Technica, Bitdefender researchers also tested two AMD CPUs and were unable to find a similar problem, as AMD’s implementation of the SWAPGS function didn’t appear to rely on speculative execution. Bitdefender director of threat research and reporting Bogdan Botezatu told the site that it was technically possible to run the exploit on Linux, Unix, or FreeBSD, or macOS systems, but that for technical reasons that would be “unfeasible.”

“What we have found is a way to exploit the SWAPGS instruction which switches from userland to kernel mode in such a way that we could... carry out a side-channel attack,” Botezatu told Ars Technica. “By doing that, we are going to leak kernel memory into the user space even if there are security measures that should prevent us from doing that.”

Botezatu also told Ars Technica that one of the most likely ways this flaw could be exploited would be a nation-state attack on a cloud service, as it could affect multiple virtual machines running on the same CPU. Such an attack would “make sense for a state-sponsored attacker that has access to resources in a multi-tenant environment,” Botezatu said, adding that an attacker using this method might require hours at a time to steal data but could potentially remain undetected for up to a year.

[Ars Technica/Tom’s Guide]

Trending Stories Right Now