Following in AMD’s footsteps, Intel also finds itself with a sizeable vulnerability. A Google researcher discovered a way to exploit a flaw in an instruction, allowing encryption keys and more to be stolen.
CVE-2022-40982 has been reserved as a vulnerability code by Google researcher Daniel Moghimi for some time. Meanwhile, Intel has had a chance to patch the bug, which has now given us details on the hardware bug.
Without a patch, the bug can be exploited on most Intel processors from the 6th to 11th Core generations. That means PCs from 2015 to fairly recently could be susceptible. The newer generations 12 and 13 remain unaffected.
The flaw allows malicious actors to intercept sensitive data from a different user account on the same machine. Think passwords, encryption keys or private data.
The vulnerability arose because a memory optimization feature was not working properly. The so-called Gather instruction is designed to quickly detect scattered data in system memory. Unintentionally, this feature can display internal hardware registers, allowing untrusted software to make off with otherwise protected data. Despite the fact that this could pose a pretty serious danger, there is no known real-world exploitation case.
Earlier, we brought news that a team in Zurich had mapped a bug in AMD chips that exploited a flaw in the CPU architecture’s speculative execution mechanism. A fix has since been released for it, as with Intel, but many chips are never expected to receive it – as almost no one updates their BIOS firmware.