Intel posted a security advisory about the Spoiler vulnerability uncovered by researchers last month. According to researchers that originally disclosed the vulnerability, Spoiler is like Meltdown in that it only affects Intel CPUs, and not AMD or Arm CPUs.
Intel CPUs, Spoiled
Spoiler is yet another security vulnerability affecting Intel’s Core CPUs that attackers can use to steal sensitive information. Unlike Spectre and Meltdown, Spoiler affects a different area of the CPU, called a Memory Order Buffer, which is used to manage memory operations and is tied to the CPU’s cache system. Because of this, Spoiler attacks can also enhance memory-based Rowhammer and other cache-based attacks.
Even though we’ve seen a long stream of Spectre attacks that Intel has had to fix, and more are expected, Spoiler is not yet another speculative execution attack. As such, none of Intel’s current mitigation techniques for Spectre affect Spoiler. The root cause of the Spoiler vulnerability is within Intel’s proprietary memory subsystem, which is why Spoiler only affects Intel’s CPUs and not AMD or Arm CPUs.
More than a month after the researchers first unveiled the Spoiler attack, Intel has assigned it its own CVE (CVE-2019-0162) and published an advisory stating that the attack is low risk (3.8 points out of 10) because the attack would need to be authenticated and requires local access to hardware.
Hardware Mitigation Required
The researchers note that Spoiler can’t be mitigated in software and that new Intel CPUs will need hardware changes to prevent attackers from exploiting this flaw. However, they also said that said hardware mitigation would likely bring a performance penalty to Intel’s CPUs.
Although most CPUs are affected by most Spectre flaws, Spoiler, Meltdown, Foreshadow, and other such Intel CPU-only flaws show the company has been more willing to de-prioritize security to get ahead of the competition in terms of performance.
As far as Spoiler mitigations are concerned, Intel seems to be currently handing over the burden to software developers that the company encourages to use side-channel-safe software development practices.
This would mean that Intel would be off the hook for fixing its memory subsystem, and whatever software changes developers need to make to their software to protect their apps from Spoiler would slow down these apps not just on Intel hardware, but also AMD and Arm hardware.
