A new security flaw can’t be fixed via software affecting the processors Intel products from 2012 to 2020, according to the discoveries made independently by two team of security researchers (one of the two part of BitDefender). The only way to make sure the processors is to implement a hardware design, appropriately revised and corrected. For the time being, AMD processors, and those based on ARM architecture are not affected, but the researchers do not exclude a priori; the Intel chips in the newer ones, namely the Core of the tenth generation Ice Lake announced last year, are invulnerable.

The flaw is potentially serious, in the sense that it may lead to theft of sensitive data of the users on whose servers the data is stored, but it remains unclear how conductive an attack with this system in the real world. Intel and some independent researchers believe that it is extremely difficult: BitDefender, however, believes that once you discover the leak at a theoretical level, further studies could lead to the development of methods exploitable in the real world. There is, however, another parameter to consider: it is possible to extract only the data is processing at the time of the attack, not those saved for example on a hard disk. Which further complicates things to a potential hacker.

The problem has been defined a sort of “Meltdown on the contrary”, for those who remember the big mess in the security of CPUS, dating back to a couple of years ago. Always arises from the same function processors: the so-called speculative execution, in which the chip, to save time, try to guess which will be the next operation to be performed and the complete “free-time”. Meltdown and the Spectre were the first to be discovered attacks, which were followed by others such as ZombieLoad (may 2019), Fallout, and Foreshadow (August 2018). The new one has been baptized Load Value Injection, or LVI. To simplify a lot, LVI manages to reveal to the processor, the results of operations that are performed in advance; the fact is particularly serious is that he can put his hand also in the contents stored in the area at the maximum security call SGX (Intel Software Guard eXtensions). The data processed by SGX are the most sensitive cryptographic keys, DRM, password and so on.

The researchers have launched a web site dedicated to the attacks LVI in which they plan to publish all updates on the topic; there are also all the necessary resources for those wishing to deepen the working mechanism of the exploit. He has compiled a even Intel, which you can read by following this link. Instead, HERE is a list (written always by Intel) that indicates which processors are affected (but is summed up easily with the opening sentence of the first paragraph).