The researchers proved that a significant decrease in voltage (for example, -232 mV for the Core i3-7100U processor or -195 mV for the Core i7-8650U) at the right time causes the SGX to malfunction and lead to data corruption: where there is damage, an opportunity opens up for gaining access to data that is otherwise inaccessible. As an example, experts demonstrated the extraction of encryption keys using RSA and AES algorithms.
As is usually the case with attacks of this type, it is not easy to select the correct voltage and moment for changing parameters. In addition, a real attack of this kind, although it can be performed remotely (which is uncharacteristic of hardware vulnerabilities), but requires full access to the operating system. Otherwise, you cannot get to the parameters of the processor. Closing the vulnerability in this case means updating the microcode, which still has to get to real devices (all Intel Core user processors from the sixth generation are affected, and some Xeon) in the form of a BIOS update.
Kaspersky Lab has published a full report (available after registration, a brief overview in this news) on cyber threats for 2019. Of particular interest in the report is a list of vulnerabilities that are actually used in malware. Unlike theoretical vulnerabilities, these are a particular threat and require immediate software updates. For the most popular exploited bugs, however, updates have been available for more than a year. At the top of the list are two vulnerabilities in the Microsoft Office Formula Editor, CVE-2017-11882 and CVE-2018-0802. The five most commonly used bugs generally relate to Microsoft Office. An example of a fresh vulnerability is the CVE-2019-0797 bug discovered in March, which at that time was already exploited in malicious attacks.
What else happened:
Critical vulnerabilities were discovered in two WordPress add-ons: Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor. For operation, you only need to know the mailing address of the site administrator.
Another zero-day vulnerability in Windows (from 7 to 10 and in Windows Server from 2008) is closed by the December patch. The bug was found in the win32k.sys system library, it also contained the previously mentioned vulnerability CVE-2019-0797.
In the new version of Google Chrome 79, two critical vulnerabilities were closed, and at the same time, a new standard alarm appeared about the use of compromised login-password pairs. This option was previously available as an extension.
14 critical vulnerabilities closed in Adobe Reader and Adobe Acrobat. Plus two vulnerabilities that lead to the execution of arbitrary code in Adobe Photoshop.
Firefox add-on developers are now required to use two-factor authorization. In this way, Mozilla is trying to reduce the risk of attacks on the supply chain: in this case, we have in mind a scenario where malicious code is inserted into a legitimate extension after hacking the developer's computer.