After the discovery of the Spectre and Meltdown class vulnerabilities, a fifth Intel processor affecting vulnerability has been discovered by Giorgi Maisuradze, Professor Dr. Christian Rossow, and their team of researchers at the CISPA Helmholtz Centre in Germany. The vulnerability is observed to allow hackers to bypass authorization in order to read data, and it is assessed that the vulnerability exists in all Intel processors of the last decade at the very least. Although the vulnerability has only been studied in Intel processors as of yet, it is expected to exist in ARM and AMD processors as well, lending itself to the fact that hackers who exploit this vulnerability in Intel’s CPUs can adapt their exploits to attack other processors as well.
According to Dr. Rossow, “The security gap is caused by CPUs predicting a so-called return address for runtime optimization. If an attacker can manipulate this prediction, he gains control over speculatively executed program code. It can read out data via side channels that should actually be protected from access.” Such attacks can be carried out in two primary ways: the first entails that malicious scripts on internet sites be able to access stored passwords and the second takes this a step further by allowing the hacker to read data in the same way for non-native processes as well, reaching beyond bounds to access a larger array of passwords from other users on a shared system. The researchers’ white paper on the matter shows that return stack buffers which are responsible for the prediction of return addresses can be used to cause mispredictions. Although recent fixes to mitigate the Spectre class vulnerabilities have managed to mitigate RSB-based cross-process attacks as well, the vulnerability can still be exploited in JIT environments to gain access to browser memories and JIT-compiled code can be used to read memory out of these bounds with an 80% accuracy rate.
Just as the Spectre attacks exploit processors by manipulating forward addresses, this vulnerability exists in the return addresses, hence the nickname: inverse Spectre attack. As technology manufacturers work to bridge the four already known such security gaps, browsers remain a gateway for malicious sites to access information and manipulate the processors in this way. Intel was made aware of this new-found vulnerability in May and was granted 90 days to produce a mitigation technique on its own before the discovery would be released. As the 90 days have come to an end, Intel’s processors continue to remain at risk of such vulnerabilities but peace be assured that the company is grinding its gears in hopes of arriving at a permanent solution and the white paper stands till then to showcase thorough experimentation and analysis of this new vulnerability.