PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Spectre, Meltdown Patches Won't Fix New 'SwapGS' Intel Flaw

The SwapGS chip-level vulnerability is serious, according to Bitdefender, but unless you're a CEO, head of state, or some other prominent target, you're probably safe from harm.

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

LAS VEGAS—A new chip-level vulnerability that affects all current Intel processors, dubbed SwapGS, gives attackers "a method to access all information in the operating system kernel memory," security giant Bitdefender revealed here at Black Hat. That's serious. No process should have that level of access to memory.

Black Hat Bug ArtThis discovery comes after Meltdown broke hardware-enforced security boundaries by exploiting technologies used to make CPU process instructions faster. Microsoft issued Windows patches to prevent malicious activity that exploited that vulnerability, but since the problem was at the chip level, full protection required action by Intel. Another flaw in CPU chips known as Spectre used similar techniques to gain access to data that should be totally secure.

Speculative Execution

All of these attacks make use of a technology called speculative execution. Effectively, the CPU guesses that execution is going to proceed down one of two branches, so it executes that branch in a kind of trial mode. If in fact the other branch is appropriate, it discards the traces of the trial. A tech running the program in a debugger can't see the speculative execution, but leaves traces in CPU caches.

When this technology works, it speeds the CPU's processing, but its implementation has led to these security problems.

"Criminals with knowledge of these attacks would have the power to uncover the most vital, best protected information of both companies and private individuals around the world, and the corresponding power to steal, blackmail, sabotage, and spy," said Gavin Hill, VP of Datacenter and Network Security Products at Bitdefender.

Bitdefender's Discovery

Bitdefender researchers Andrei Lutas and Dan Lutas (no relation) demurred when I asked their titles, preferring to be just called "researchers." However, their colleagues suggested "CPU Ninja" or "Research Genius" might be appropriate. Indeed, much of their detailed explanation of the SwapGS vulnerability went over my head. I'll try to lay it out in layman's terms.

The SwapGS command in effect swaps a pointer from no-worries user-mode memory so it instead points to super-secure kernel memory. That's fine when it works as designed, but a trick involving speculative execution can force it to happen when it shouldn't. And these two researchers found a clear way to make it happen. They also detailed the dead ends and alternate attempts along the way.

After identifying the possibility to force access to kernel-mode memory, they searched the Windows OS for instances of code that could be vulnerable, and found 38. "Of course, you only need one," said Andrei Lutas. "And since these instances involve exception handlers, an attacker can force execution just by triggering an exception."

Recommended by Our Editors

Wikipedia Editors Could Strike Following Layoffs
Wikipedia Editors Could Strike Following Layoffs
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets

Not All Bad News

There is some good news. The full-on attack to obtain specific secrets from kernel memory would take hours, according to their calculations. And even with complete success, only about a third of kernel memory can possibly be compromised.

Bitdefender has worked with Intel for more than a year on public disclosure of SwapGS. It's possible that an attacker with knowledge of the vulnerability could have exploited it to steal confidential information. On the bright side, Microsoft has issued a patch for Windows, and the researchers couldn't find a way to turn the attack on Linux.

Are you and your own devices in danger from SwapGS? We don't know for sure yet. Bitdefender's team believes at present that, unlike Spectre, this flaw does not affect Apple devices, but they're waiting on confirmation from Cupertino. They also expect that any use of the flaw would be "extremely targeted attacks against a narrow set of threat actors." This suggests that unless you're a CEO, head of state, or some other prominent target, you're probably safe.

In addition, if you keep your Windows installation fully patched, you should have nothing to worry about. Businesses and enterprises that, for their own reasons, delay patching have another alternative in Bitdefender's esoteric Hypervisor Introspection tool, which can effectively patch the operating system on the fly.

If you're one of those rare individuals with a deep understanding of how modern CPUs work, you can check out the details of the detailed SwapGS whitepaper released today by Bitdefender.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio