Intel confirmed a newly discovered vulnerability affecting all modern Intel CPUs starting from their Sandy Bridge line-up, dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665).
Vendors are now pushing to rush their roll out of security updates in order to fix the flaw and keep their customers protected.
The flaw exploits a system performance optimization feature, Lazy FP state restore, which is embedded in modern processors, and is responsible for saving or restoring the FPU state of each running application ‘lazily’ when switching from one application to another.
“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch,” Intel says while describing the flaw.
“Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.”
The latest Red Hat advisory stated that the numbers held in FPU registers can be used to access sensitive information about the activity of other applications, including parts of cryptographic keys being used to secure data in the system.
But unlike Spectre and Meltdown, this latest vulnerability does not reside inside the hardware so it can be fixed with patches on different operating systems without requiring new CPU microcodes from Intel.
Red Hat is already working with their partners to issue a patch. Other modern versions of Linux from kernel version 4.9 released in 2016 onwards are not affected by this vulnerability.
Modern versions of Windows, as well as Windows Server 2016 are also not affected. Microsoft published a security advisory explaining that the company is currently working on security updates which will be released on the next Patch Tuesday on July.
They say that Lazy restore is enabled by default in and cannot be disabled. Virtual machines, kernel, and processes are vulnerable to this exploit, however, those who are running VMs in Azure are not affected.
AMD processors are also not affected by this issue.