Like the Spectre and Meltdown exploits earlier this year, the new L1TF / Foreshadow vulnerabilities allow for a form of speculative execution attack. Unlike those earlier exploits, these affect modern chips with SGX architecture extensions, designed to protect data and applications from interference.
Lovely. The modern chip sets that were apparently spared by the earlier issues were included in this one, just to make life a little more interesting for those of you who are responsible for keeping your customers’ companies safe.
When the Spectre and Meltdown Intel chip vulnerabilities were revealed in January, it sent shock waves through the security community. If the very chips that run your customers’ machines were a source of vulnerability, how could you be expected to protect the software running on them? The short answer is that it’s not easy.
We have to deal with breaches and phishing attacks stealing ever more credentials. It’s hard to protect your customers’ assets when their users’ information is being spread far and wide, shared in shady chat rooms in the dark corners of the internet.
Waiting for patches
When it comes to chip issues, all you can do is wait for the patches to come down the pike, and say a little prayer that nobody is taking advantage on your customers’ machines.
To be fair, the Spectre and Meltdown vulnerabilities were made public on January 3. By January 8 Intel announced a solution of sorts to fix 90 percent of affected machines, which was pretty quick considering the breadth of the issue. Of course, it was more of a workaround than an actual fix and might have resulted in a performance hit, but it was better than being left open to an attack. This most recent announcement is just another issue for you to do deal with as you help customers manage their security posture.
As you know all too well, nobody can fully protect or guarantee security. When even the heart of your hardware isn’t safe, all you can do is keep on wishin’ and a-hopin’ and a-patchin’ as fast your vendors can produce them.