Another Day, Another Intel CPU Security Hole: Lazy State

Steven J. Vaughan-Nichols, writing for ZDNet: The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system. Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "it allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides. This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations. Further reading: Twitter thread by security researcher Colin Percival, BleepingComputer, and HotHardware.

Different standard of disclosure

[DrYak]

Where's the tablet-optimised website? This one's just a few tweets, it doesn't even have a logo! Where's the superbowl ad?

In an era where every single vulnerabilities needs to get a catchy name and a well designed reactive website (almost a superbowl ad ?), even before confirming if there's a viable exploit, it's nice to see the big hats of security reacting (cpercival - the daddy of Scrypt) and taking time to write an actual exploit to test, even if communication is done over an unglamorous channel as twitter.