Microsoft silently rolled out a patch to Windows systems that plugs a serious speculative-execution flaw in all Intel CPUs that have been on the market since 2012. The bug was discovered 12 months ago by security firm Bitdefender, and was privately reported to Intel. The exploit discovered by Bitdefender abuses the SWAPGS CPU instruction to leak kernel memory into the user space, even if the CPU has mitigation against previous side channel attacks.
Bitdefender's researchers found that a chip instruction known as SWAPGS made it possible to revive the side channel, even on systems that had the earlier mitigations installed. SWAPGS gets called when a computing event switches from a less-trusted userland function to a more sensitive kernel one. Proof-of-concept exploits developed by Bitdefender invoked the instruction to siphon contents normally restricted to kernel memory into user memory.
"What we have found is a way to exploit the SWAPGS instruction which switches from userland to kernel mode in such a way that we could... carry out a side-channel attack," Bogdan Botezatu, Bitdefender's director of threat research and reporting, told Ars. "By doing that, we are going to leak kernel memory into the user space even if there are security measures that should prevent us from doing that."
Full details at ARS Technica.