Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.
Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets.
However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache.
Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper was released this month and spotted by The Register.
The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.
"The root cause for Spoiler is a weakness in the address speculation of Intel's proprietary implementation of the memory subsystem, which directly leaks timing behavior due to physical address conflicts. Existing Spectre mitigations would therefore not interfere with Spoiler," they write.
They also looked for the same weakness in Arm and AMD processor cores but didn't find the same behavior that is present in Intel chips.
Spoiler depends on "a novel microarchitectural leakage, which reveals critical information about physical page mappings to user space processes".
"The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS, and also works from within virtual machines and sandboxed environments."
SEE: 10 tips for new cybersecurity pros (free PDF)
The researchers say that Intel has confirmed receipt of their findings on December 1, 2018. However, they note Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits. Meanwhile hardware mitigations could address the issue but would almost certainly mean a hit on CPU performance.
Daniel (Ahmad) Moghimi, one of the paper's authors, told The Register he doubts Intel will be able to patch the issue in the memory subsystem within the next five years.
"My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said.
"So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE."
An Intel spokesperson said in a statement that software can be protected from Spoiler attacks while DRAM modules with Rowhammer mitigations still should remain shielded.
"Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."
Previous and related coverage
Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users
KB4482887, released today, enables Google's Retpoline mitigation in the Windows 10 kernel (only for v1809 users).
Linux kernel gets another option to disable Spectre mitigations
People want more control over the Spectre mitigations for the sake of performance.
Researchers discover SplitSpectre, a new Spectre-like CPU attack
Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
Researchers discover seven new Meltdown and Spectre attacks
Experiments showed that processors from AMD, ARM, and Intel are affected.
Linus Torvalds: After big Linux performance hit, Spectre v2 patch needs curbs
Patch is causing as much as a 50 percent drop in performance in some Linux workloads.
Windows 10 will banish Spectre slowdowns with Google's Retpoline patch
Google's Retpoline fix for the Spectre Variant 2 flaw helps minimize performance hit on Windows 10 machines
Intel ditches Linux patch benchmark 'gag', offers 'innocuous' new license
Intel's license for its microcode security fixes no longer prevents developers from publishing benchmark results.
Intel 'gags' Linux distros from revealing performance hit from Spectre patches
You can test performance after using our patches, but don't publish the results, say Intel's new license terms.
New Spectre variant 4: Our patches cause up to 8% performance hit, warns Intel
Intel's Spectre variant 4 patch will be off by default, but users who turn it on are likely to see slower performance.
Linux performance before and after Meltdown and Spectre fixes
The patches, as expected, brought Linux's performance down, but their impact has not been as bad as feared.
Oracle's latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses
Oracle has new fixes available for Spectre flaws affecting Linux systems on Intel and AMD chips.
Spectre chip security vulnerability strikes again; patches incoming
A Google developer discovered a new way that a 'Spectre'-style check can be used to attack any computer running any operating system.
Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?
Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.
Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets
A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.
Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2
Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.
Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks
AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.
Intel: We now won't ever patch Spectre variant 2 flaw in these chips
A handful of CPU families that Intel was due to patch will now forever remain vulnerable.
Windows 7 Meltdown patch opens worse vulnerability: Install March updates now
Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.
Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode
Intel makes progress on reissuing stable microcode updates against the Spectre attack.
Critical flaws revealed to affect most Intel chips since 1995
Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."
Got an old PC? Find out whether you will get Intel's latest Spectre patch TechRepublic
Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.
Class-action suits over Intel Spectre, Meltdown flaws surge CNET
Since the beginning of 2018, the number of cases has risen from three to 32.