News

Microsoft Suggests Its Software Not Affected by Latest Spectre Attack Method

• By Kurt Mackie
• 07/13/2018

Researchers disclosed a new variant 1-type Spectre attack method earlier this week, but Microsoft's software apparently isn't affected by it.

The new "bounds check bypass on stores" attack method was described as being yet another method classed under Spectre variant 1 attacks. It's part of the Meltdown/Spectre speculative execution side-channel attack methods that could lead to information disclosure from the operating system kernel, including passwords. However, malware typically has to be installed on a machine for these kinds of attacks to work.

Vladimir Kiriansky of MIT and independent consultant Carl Waldspurger described the bounds check bypass on stores attack method in an MIT paper, "Speculative Buffer Overflows: Attacks and Defenses" (PDF). They reportedly received a $100,000 award from Intel for their research, according to a ThreatPost article.

The bounds check bypass on stores attack method goes by the common vulnerabilities and exposures (CVE) name of CVE-2018-3693.

Chipmaker Advisories
Intel updated an "important" security advisory on July 10 that briefly described CVE-2018-3693. Intel directed users of its processors to check with "your operating system vendor" for any updates or patches. Apparently there's no microcode update coming from Intel. Any fix will come from the operating system makers.

AMD this week alluded to this variant 1-type Spectre security vulnerability in a July 13 update. The update indicated that AMD hasn't identified AMD x86 products that are susceptible, and that "consistent with variant 1, we believe this threat can be mitigated through the operating system (OS)."

ARM Holdings simply listed CVE-2018-3693 as being a variant 1 attack method, which appears to affect most of its products. It included a technical description of the attack method in an updated research paper.

Oracle indicated in a security update that it is currently working with Intel and other partners on building technical mitigations against CVE-2018-3693. Its Sparc processors aren't affected by Spectre variants 3a and 4, the announcement added.

OS Maker Advisories
On the operating system-maker side, Microsoft suggested its products weren't affected by the bounds check bypass for stores (CVE-2018-3693) attack method, although it's still researching the matter. Microsoft's comment to that effect is buried in an FAQ section in updated security advisory ADV180002. It's listed under question No. 17:

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required.

Linux OS maker Red Hat noted in a security advisory that CVE-2018-3693 affects "Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2" products, adding that future kernel updates from Red Hat "may address this issue."

Linux OS maker Suse issued a support article and a security advisory this week on CVE-2018-3693, suggesting that Suse Linux Enterprise Server 12 Service Pack 3 and Suse Linux Enterprise Server 11 Service Pack 4 could be affected. The support article indicated that no microcode fixes from chipmakers are needed to address the bounds check bypass on stores problem. Future kernel and hypervisor fixes will be needed, but these mitigations will have "very limited performance impact," it added.

To recap, there are four main variants of these speculative execution side-channel attack methods identified so far since the problems were first publicly disclosed back in January. The attack methods, called Meltdown and Spectre, affect most processors, and require either a firmware (or "microcode") update from ARM Holdings, AMD or Intel and/or an operating system patch (from both Windows and Linux operating system makers) to address the security vulnerabilities.

Here's the list of the Spectre/Meltdown variants described so far:

• Variant 1: Bounds Check Bypass (CVE-2017-5753)
• Variant 2: Branch Target Injection (CVE-2017-5715)
• Variant 3: Rogue Data Cache Load (CVE-2017-5754)
• Variant 3a: Rogue System Register Read (CVE-2018-3640)
• Variant 4: Speculative Store Bypass (CVE-2018-3639)

Chrome Browser Spectre Protection
In other Spectre/Meltdown news, Google is implementing a protection against information disclosure from Spectre side-channel attacks in its Chrome version 67 browser. Google this week described the new technology added to Chrome version 67, which required an architectural change to the browser, as being the first phase of its "Site Isolation project."

Apparently, a Web site running malicious code can use the processes in a browser to steal information from other Web sites using Spectre attack methods. Site Isolation technology "limits each renderer process to documents from a single site." It helps the operating system "prevent attacks between processes, and thus, between sites," Google explained.

One downside to Site Isolation in Chrome version 67 is that it'll entail "about a 10-13% total memory overhead in real workloads due to the larger number of processes" that need to be run. Google, though, is working to optimize the potential performance hit.