In mid-August, Intel Corporation announced a first round of patches to
counter Foreshadow/Foreshadow-NG, a weakness in chip design that could allow an
attacker to access encrypted data being held in an isolated area of the chip
meant to keep sensitive information out of the reach of other software,
including malware. With Foreshadow, the data in a supposedly secure enclave
could, in theory, be copied elsewhere and then accessed. Foreshadow-NG might also
be used to read information stored in other virtual machines running on the
same third-party cloud, presenting a risk to cloud infrastructure.
"There's no evidence that anyone has actually exploited this design
flaw," says James D'Arezzo, CEO, Condusiv Technologies, "and Intel,
Microsoft, and other vendors are rapidly developing security patches."
D'Arezzo, whose company is a world leader in I/O reduction and SQL database performance, adds, "However, many of
these security patches can significantly degrade system speed and
performance."
Problems with microcode security patches emerged early in the year, when the
computer industry began reacting to a pair of chip design weaknesses called
Meltdown and Spectre. By late January, according to Spiceworks, a professional
network for people in the IT industry, 70% of businesses surveyed had begun
patching against the flaws. Of those, 38% reported experiencing problems with
the fixes, including performance degradation and computers crashing. The study
also found that of the 29% of large companies who expected to spend more than 80
hours addressing the issue, 18% expected to spend more than $50,000 to fix
them.
Then came Foreshadow, which, according to security researchers, could affect
all Intel hardware released after 2015. Researchers also note that users will
mostly likely not be able to detect if they have been affected by the new
attack, as Foreshadow does not leave traces. Intel has already released a patch
that it says will stop the issue, and says that future processors will be
tweaked in order not to be affected by Foreshadow.
Per D'Arezzo, this is simply part of doing business in today's computer
industry. Vulnerabilities and flaws are inevitable. They will keep emerging,
companies like Microsoft and Intel will continue to generate patches for them,
and users will continue to struggle with poor performance.
An invaluable tool for these users is input/output (I/O) reduction software,
which works steadily in the background, optimizing the flow of data in and out
while situations change around it. Condusiv is the world leader in this area
and users of its software solutions can more than double the I/O capability of
storage and servers, including SQL servers, in their current configurations.