Once upon a time, when we worried about security, we worried about our software. These days, it's our hardware, our CPUs, with problems like Meltdown and Spectre[1], which are out to get us. The latest Intel revelation, Lazy FP state restore[2], can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system.

Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat[3] Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff[4], but it's NOT Meltdown." Still, "It allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

This vulnerability exists because modern CPUs include many registers (internal memory) that represent the state of each running application. Saving and restoring this state when switching from one application to another takes time. As a performance optimization, this may be done "lazily" (i.e., when needed) and that is where the problem hides.

This vulnerability exploits "lazy state restore" by allowing an attacker to obtain information about the activity of other applications, including encryption operations. Thus, systems using Intel Core-based microprocessors, from Sandy Bridge on to today's newest processors, may allow a local process to infer data using lazy floating point state restore from another process through a speculative-execution side channel. So, in this latest vulnerability, one process can read the floating point registers of other processes being lazily restored.

For some operating systems, the fix is already in. Red Hat Enterprise Linux (RHEL)[5] 7 automatically defaults to (safe) "eager" floating point restore on all recent

Read more from our friends at ZDNet