Security News
Oracle on Tuesday announced the availability of a total of 342 new security patches as part of its July 2021 Critical Patch Update. The most severe of these issues is CVE-2021-2244, a security bug in the Essbase Analytic Provider Services product of Oracle Essbase that could be exploited remotely without authentication and which could lead to the complete takeover of the affected product.
Microsoft announced today that they might lower the Windows 11 system requirements to allow Intel 7th generation and AMD Zen 1 CPUs to use the new operating system. Even if your hardware had no problems running Windows 10, Microsoft decided only to allow Intel 8th generation, AMD Zen 2, and Qualcomm 7 and 8 Series processors to be compatible with Windows 11.
The mitigations applied to exorcise Spectre, the family of data-leaking processor vulnerabilities, from computers hinders performance enough that disabling protection for the sake of speed may be preferable for some. "Before Spectre mitigations, those system calls hardly slowed down userspace execution at all."
Intel has unleashed 29 security advisories to plug up some serious bugs in the BIOS firmware for Intel processors, as well as in its Bluetooth products, Active Management Technology tools, the NUC Mini PC line, and, ironically, in its own security library. "Forty of those, or 55 percent, were found internally through our own proactive security research. Of the remaining 33 CVEs being addressed, 29, or 40 percent, were reported through our bug-bounty program. Overall, 95 percent of the issues being addressed today are the result of our ongoing investments in security assurance, which is consistent with our 2020 Product Security Report."
Intel has pushed out a raft of security advisories for June, bringing its total discovered "Potential vulnerabilities" for the year to date to 132, only a quarter of which were reported by external contributors and the company's bug bounty programme. "Today we released 29 security advisories addressing 73 vulnerabilities," Intel's Jerry Bryant said of the company's latest updates.
A team of academics from the University of Virginia and University of California, San Diego, have discovered a new line of attack that bypasses all current Spectre protections built into the chips, potentially putting almost every system - desktops, laptops, cloud servers, and smartphones - once again at risk just as they were three years ago. The disclosure of Spectre and Meltdown opened a floodgates of sorts, what with endless variants of the attacks coming to light in the intervening years, even as chipmakers like Intel, ARM, and AMD have continually scrambled to incorporate defenses to alleviate the vulnerabilities that permit malicious code to read passwords, encryption keys, and other valuable information directly from a computer's kernel memory.
Oracle this week announced the release of 390 new security fixes as part of the April 2021 Critical Patch Update, including patches for more than 200 bugs that could be exploited remotely without authentication. The quarterly set of security patches addresses a total of 41 vulnerabilities considered critical severity, including 5 that feature a CVSS score of 10.
A new research has yielded yet another means to pilfer sensitive data by exploiting what's the first "On-chip, cross-core" side-channel attack targeting the ring interconnect used in Intel Coffee Lake and Skylake processors. While information leakage attacks targeting the CPU microarchitecture have been previously demonstrated to break the isolation between user applications and the operating system, allowing a malicious program to access memory used by other programs, the new attack leverages a contention on the ring interconnect.
Google on Friday released proof-of-concept code for conducting a Spectre-based attack against its Chrome browser to show how web developers can take steps to mitigate browser-based side-channel attacks. The code, posted to GitHub, demonstrates how an attacker can pull data from device memory at speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. According to Google, the attack should work on other browsers, even those running on Arm-based Apple M1 chips.
A team of researchers from the University of Illinois at Urbana-Champaign has published a paper detailing a new side-channel attack method that can be launched against devices with Intel CPUs. Following the disclosure of the Meltdown and Spectre vulnerabilities back in January 2018, researchers have increasingly focused on finding CPU side-channel attack methods - and in many cases they have been successful.