A new security vulnerability in a similar vein to Spectre and Meltdown has been discovered in Intel CPUs. The “Lazy FP state” flaw makes use of the speculative execution vulnerability that has been the bane of Intel CPUs for the past few months as repeated exploits have been discovered. It could potentially allow malicious actors to steal data from an affected user, though it has proven easier to patch than previous exploits of a similar type.
Processors from both AMD and Intel have been hit with a number of different security bugs in the past few months, as flaws at the deepest level of the hardware were discovered. While Spectre was applicable to both chipmakers’ hardware though, this latest bug is one that impacts Intel CPUs only. It affects every “Core” CPU released since Intel’s 2011 Sandy Bridge range debuted.
The problem stems from the fact that modern CPUs often store the state of running applications to improve performance when switching between tasks. That leaves a window of opportunity for malicious actors to read the contents of that register.
“It affects Intel designs similar to variant 3-a of the previous stuff, but it’s not Meltdown,” Red Hat computer architect Jon Masters said via Zdnet. “It allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc.”
That’s perhaps the most worrisome aspect of this flaw, in that it allows for the extraction of data while encryption is being conducted. That could be especially problematic if servers were targeted.
Fortunately, this flaw is much less of a problem than those previously discovered. It has already been patched out in a number of environments — including Linux 4.9 or newer, Windows Server 2016, and Windows 10. Better yet, the fix does not impact performance as it has done in the case of certain other exploits related to Spectre and Meltdown.
The general recommendation for anyone running potentially affected hardware is to make sure that you operating system is patched to its latest version and to keep an eye on your motherboard manufacturer’s website for any potential BIOS updates that are released.
Intel has released the following statement on Lazy FP:
“This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.”