A new security flaw in Intel processors has been disclosed by vulnerability researchers at Bitdefender as well as by a team of academics from universities around the world.
The flaw has been given the name Load Value Injection or LVI for short and it represents a whole new class of theoretical attacks that can be launched against Intel's CPUs. Although the attack is just a theoretical threat at this time, Intel has already released firmware patches to mitigate attacks against its current CPUs and the chipmaker plans to deploy fixes at the hardware level in future generations.
While the Meltdown bug, that was first discovered in 2018, allowed attackers to read an app's data from inside a CPU's memory while in a transient state, LVI attacks could allow an attacker to inject code inside the CPU and have it executed as transient operation which would give attackers more control over what happens.
- Latest Intel CPUs have 'impossible to fix' security flaw
- Here’s the cheapest 64-core CPU currently on the market
- These are the best processors available right now
The two research teams discovered the new LVI attack on their own but both teams have been successfully able to prove the broad impact that LVI attacks could have. The academic research team focused on leaking data from a secure area of Intel processors called the Intel SGX enclave and Bitdefender focused on proving how the attack could impact cloud environments.
LVI security flaw
At this time, only Intel CPUs have been confirmed to be impacted by LVI attacks in real-world tests, though the researchers have not ruled out that CPUs from AMD and ARM could also be affected.
Proof-of-concept demo code for LVI attacks currently relies on running malicious code on a computer which means that local access is needed. However, a remote attack could also be possible via JavaScript by tricking users into visiting a malicious site.
Using JavaScript to launch an LVI attack has not yet been proven but the academic researchers and Bitdefender both believe that this delivery method could theoretically work.
Thankfully though, both teams also came to the conclusion that an LVI attack would be difficult for an attacker to pull off. While this new attack type may not pose a danger to users now, once more is learned about how CPUs work, the current CPU design will likely be proven to be insecure.
Expect to hear more about LVI attacks as researchers and hardware makers learn more about this new type of CPU security flaw.
- Also check out our complete list of the best antivirus software
Via ZDNet
